Date: Fri, 18 Jul 2003 17:52:04 +0300 From: "Vitali Malicky" <life@zone3000.net> To: <keith@smmc.qld.edu.au>, "Free bsd " <freebsd-questions@FreeBSD.org> Subject: Re: Help! Is this an attack or a virus? Qmail on FBSD is flooding Message-ID: <00a301c34d3c$26fb8460$2401010a@zone3000.net> References: <2614.10.0.1.109.1058432155.squirrel@localhost.smmc.qld.edu.au> <20030717023103.A4775@njamn8or.no-ip.org> <1057.203.221.19.98.1058444958.squirrel@localhost.smmc.qld.edu.au> <007901c34c61$4dd50290$2401010a@zone3000.net> <3039.10.0.1.109.1058478383.squirrel@localhost.smmc.qld.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
> G'day Vitali,
> Thanks for your advice I'll look into it
> I was thinking about it last night and figured that there must be messages
> in the Q. A quick check showed that one such message was Qd to send a
> couple of jpgs to dozens of CCd addresses!
> That does look like a virus on one of my internal clients...(using their
> address book)
> What say you?
>
why not a virus? if so, then look at the "From:" field. knowing your user
and what machine he/she is working at localize the machine and clean it,
that's not a problem. by the way how do your clients send mail? Since my
clients can't send mail but to themselves on this very same server until
they take their mail from the pop3 server (I use tcpserver, vpopmail
supervised by svscan). Until the users authorize on the pop3 they can't send
any mail (dynamic relaying). As soon as they're authorized they are granted
permission for 20 minutes to send mail. In 20 minutes (unless their email
clients automatically jerk the pop3 server every 5 or so minutes) the
relaying permition for the client's IP is nulled.
the moral of the fable is: viruses can't make e-mail client application
tease the pop3 every 5 minutes, nor authorize on pop3, but some of the
"clever" viruses can send mail even if the e-mail client application is
closed (Exited from, I mean)... and what if the relay were closed for the IP
where the virus "lives"?
if it's open i can "cat /path/to/vpopmail/etc/open-smpt"
10.1.1.36:allow,RELAYCLIENT="",RBLSMTPD="" 1058539366
10.1.1.12:allow,RELAYCLIENT="",RBLSMTPD="" 1058539411
10.1.1.5:allow,RELAYCLIENT="",RBLSMTPD="" 1058539321
10.1.1.22:allow,RELAYCLIENT="",RBLSMTPD="" 1058538971
and localize all the IP's of the clients who are actively using mail server
now. whithout guesswork...
Best regards Vitali.
--
Error Code=-1 Continue?
Yes | No
--
> Keith
>
>
> > Hi, dear All!
> >
> > qmail-remote sends mail to remote hosts as long as qmail-local sends
> > local mail (inside the box). how many qmail-remote processes do you have
> > (ps ax|grep qmail-remote|wc -l)? did you try to delete the messages from
> > the queue, if so you should have done it correctly. please, obtain the
> > qmail-remove package (find it on Google), there is an instruction how to
> > delete the queued messages. and see the log file (grep qmail-remote
> > /var/log/maillog | more), as this information is not nuff
> >
> > WBR
> >
> > --
> > Error Code=-1 Continue?
> > Yes | No
> > --
> >
> > ++++ http://www.geocities.com/vitali_malicky
> >
> >
> >
> >> Hi Victor thanks,
> >> I had deleted that one persons account but it staill happens!
> >> What is the qmail-remote thing??
> >> Any ideas?
> >> Keith
> >>
> >>
> >
> >
> > _______________________________________________
> > freebsd-questions@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to
> > "freebsd-questions-unsubscribe@freebsd.org"
>
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00a301c34d3c$26fb8460$2401010a>