FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 12-10-2008, 03:02 PM
James Pifer
 
Default pop3 attack

On Tue, 2008-12-09 at 16:26 -0500, James Pifer wrote:
> Thanks to all. For now I've stopped it using iptables. I tried stopping
> it at my router without success, yet another reason to replace it! I
> will also report it to abuse@covad.net.
>

My issues have gotten worse. Apparently over the last few days my ip
address has gotten blacklisted. No idea why. Even though I have a
commercial class cable modem service, my ip is residential because it
comes to my house. But I've been running my mail server for several
years and never had an issue.

I've tried adding these lines to my sendmailmc and rebuilding it, but
then nothing routes, not even local.

define(`SMART_HOST',`smtp-server.carolina.rr.com')dnl
MASQUERADE_AS(carolina.rr.com)dnl
FEATURE(`allmasquerade')dnl
FEATURE(`masquerade_envelope')dnl

Now I'm using mailertable and that appears to be working.

I'm not even sure this message with get to this list. Seems like I
haven't received any centos list mail in a while. I have on my other
lists though.

Any help is appreciated.

Thanks,
James

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-10-2008, 03:20 PM
Matt
 
Default pop3 attack

>> Thanks to all. For now I've stopped it using iptables. I tried stopping
>> it at my router without success, yet another reason to replace it! I
>> will also report it to abuse@covad.net.
>>
>
> My issues have gotten worse. Apparently over the last few days my ip
> address has gotten blacklisted. No idea why. Even though I have a
> commercial class cable modem service, my ip is residential because it
> comes to my house. But I've been running my mail server for several
> years and never had an issue.
>
> I've tried adding these lines to my sendmailmc and rebuilding it, but
> then nothing routes, not even local.
>
> define(`SMART_HOST',`smtp-server.carolina.rr.com')dnl
> MASQUERADE_AS(carolina.rr.com)dnl
> FEATURE(`allmasquerade')dnl
> FEATURE(`masquerade_envelope')dnl
>
> Now I'm using mailertable and that appears to be working.
>
> I'm not even sure this message with get to this list. Seems like I
> haven't received any centos list mail in a while. I have on my other
> lists though.

My guess is there trying to brute force POP3 passwords so they can use
authenticated SMTP on your server to send SPAM. Common tactic.

What are you using for a MTA? What about webmail?

Matt
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-10-2008, 03:48 PM
John Hinton
 
Default pop3 attack

Ned Slider wrote:
> Chris Boyd wrote:
>
>> You can keep compromised accounts from logging in via ssh with the
>> "AllowUsers" option in your /etc/ssh/sshd_config file. Add that
>> option followed by a list of user names that you want to be able to
>> log in, ex:
>>
>> # Only let Fred Guru and Joe Admin in, block anyone
>> # else even if they have a valid password.
>> AllowUsers fred joe
>>
>> And you should also set "PermitRootLogin no" while you are in
>> sshd_config.
>>
>> Be sure to do a "service sshd restart" after you change the file, and
>> do a test login _before_ you log out of your current session. Saves
>> cursing and late night drives to remote servers in case sshd barfs
>> somehow :-)
>>
>> --Chris
>>
>>
>
> Nice tip - AllowUsers added to the Wiki page on securing SSH:
>
> http://wiki.centos.org/HowTos/Network/SecuringSSH
>
> Thanks!
>
> Ned
>
>
I don't have many clients that actually need or use ssh. I control it
via hosts.allow and hosts.deny

For instance.

cat hosts.deny
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!

sshd : ALL

cat hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#

sshd : 192.555.555. : allow
sshd : 192.555.55.555 : allow
sshd : localhost : allow

Of course the IP addresses have been changed to protect the......

In hosts.allow, the first line is an example of opening sshd to any IP
address in that class C
The second line, an example to specific IP addresses
and the third to localhost (and I don't remember why I needed to add
that but it was an internal program)

John Hinton
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-10-2008, 04:02 PM
John Hinton
 
Default pop3 attack

James Pifer wrote:
> On Tue, 2008-12-09 at 16:26 -0500, James Pifer wrote:
>
>> Thanks to all. For now I've stopped it using iptables. I tried stopping
>> it at my router without success, yet another reason to replace it! I
>> will also report it to abuse@covad.net.
>>
>>
>
> My issues have gotten worse. Apparently over the last few days my ip
> address has gotten blacklisted. No idea why. Even though I have a
> commercial class cable modem service, my ip is residential because it
> comes to my house. But I've been running my mail server for several
> years and never had an issue.
>
> I've tried adding these lines to my sendmailmc and rebuilding it, but
> then nothing routes, not even local.
>
> define(`SMART_HOST',`smtp-server.carolina.rr.com')dnl
> MASQUERADE_AS(carolina.rr.com)dnl
> FEATURE(`allmasquerade')dnl
> FEATURE(`masquerade_envelope')dnl
>
> Now I'm using mailertable and that appears to be working.
>
> I'm not even sure this message with get to this list. Seems like I
> haven't received any centos list mail in a while. I have on my other
> lists though.
>
> Any help is appreciated.
>
> Thanks,
> James
>
James,

Are you using bounce instead of reject anywhere on the system? If so,
they can bounce their spam to anyone off of your server... also a common
tactic. Also, things like mailforms on the server with autoresponders
can also be a source of abuse. If they autorespond with the message
input included, it's just a matter of using the email address you want
to spam in that form. If the form doesn't have some good checks and
balances, like Captcha, it's wide open for abuse by bots. Even captcha
needs to be tough as they are using OCR to bust through easy to read
captcha images.

If you are being blacklisted, email is almost certainly coming out of
your server which contains spam. Depending on the lists, it could be
spewing a lot.

You may wish to have postmaster and abuse addresses open on that system
and actually look at them... These are RFCs that should be followed
anyway... as to whether or not you read them...... But I do watch the
postmaster email for 'quantity changes'. If it rises suddenly, somebody
is playing.

Good luck,
John Hinton
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-10-2008, 04:12 PM
Frank Cox
 
Default pop3 attack

On Wed, 10 Dec 2008 12:02:22 -0500
John Hinton wrote:

> If you are being blacklisted, email is almost certainly coming out of
> your server which contains spam. Depending on the lists, it could be
> spewing a lot.

Not necessarily. I had one helluva time getting my mailserver off of the SORBS
dynamic IP blacklist. Regardless of the fact that it is and has always been on
a static IP address and it returns the word "static" in a reverse lookup, and
it's always lived in a static netblock issued by my ISP, it took me well over a
year of dealing with everyone under the sun (except for the SORBS people
themselves, who appear to be impossible to contact and ignore all help and
support requests sent though their website) to get off of that list.

So SORBS, at least, is a problem and I've lost faith in their blacklist to help
me sort spam from legitimate email.

On the other hand, if the OP's blacklisting has just now started and it wasn't
that way before, then I agree that he likely does have a local problem.

--
MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com
DRY CLEANER BUSINESS FOR SALE ~ http://www.canadadrycleanerforsale.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-10-2008, 04:16 PM
Bill Campbell
 
Default pop3 attack

On Wed, Dec 10, 2008, James Pifer wrote:
>On Tue, 2008-12-09 at 16:26 -0500, James Pifer wrote:
>> Thanks to all. For now I've stopped it using iptables. I tried stopping
>> it at my router without success, yet another reason to replace it! I
>> will also report it to abuse@covad.net.
>>
>
>My issues have gotten worse. Apparently over the last few days my ip
>address has gotten blacklisted. No idea why. Even though I have a
>commercial class cable modem service, my ip is residential because it
>comes to my house. But I've been running my mail server for several
>years and never had an issue.

Your IP address, 70.62.90.185, is listed on zen.spamhaus.org, and
you can probably go to their web site to see why it's listed.

I have see quite a few cases where spam is sent from webmail
accounts (mostly squirrelmail) by crackers who get access via
weak passwords found by imap/pop probes as you described.

It's been my experience in the 15 years we have been doing
support for regional ISPs that well over 50% of their user's
passwords are easily cracked, and that getting the users to use
good passwords is difficult to say the least.

Bill
--
INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
Voice: (206) 236-1676 Mercer Island, WA 98040-0820
Fax: (206) 232-9186

Never blame a legislative body for not doing something. When they do
nothing, that don't hurt anybody. When they do something is when they
become dangerous. -- Will Rogers
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-10-2008, 04:27 PM
Matt
 
Default pop3 attack

> I have see quite a few cases where spam is sent from webmail
> accounts (mostly squirrelmail) by crackers who get access via
> weak passwords found by imap/pop probes as you described.
>
> It's been my experience in the 15 years we have been doing
> support for regional ISPs that well over 50% of their user's
> passwords are easily cracked, and that getting the users to use
> good passwords is difficult to say the least.

Seen that too. Spammers must send out millions of messages to make
any money. One good solution is ratelimiting at the MTA. Exim allows
you to setup limits on the number of recipients a given IP can send
messages to in a given time period. Squirrelmail has a plugin that
does the same. That way if they break in to an account but can only
send a few hundred messages a day its not worth there time. Less
likely to get the server blacklisted as well. Its also good to
configure Squirrelmail not to allow them to alter the return email
address on the Squirrelmail account.

Matt
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-10-2008, 04:40 PM
Ned Slider
 
Default pop3 attack

Bill Campbell wrote:
> On Wed, Dec 10, 2008, James Pifer wrote:
>> My issues have gotten worse. Apparently over the last few days my ip
>> address has gotten blacklisted. No idea why. Even though I have a
>> commercial class cable modem service, my ip is residential because it
>> comes to my house. But I've been running my mail server for several
>> years and never had an issue.
>
> Your IP address, 70.62.90.185, is listed on zen.spamhaus.org, and
> you can probably go to their web site to see why it's listed.
>

It's listed on zen.spamhaus.org because it's in pbl.spamhaus.org which
is a policy blocklist:

http://www.spamhaus.org/pbl/query/PBL238253

Time Warner Cable/Road Runner's policy is not to permit outbound email
for this IP address range.

There is no indication your server has been compromised or abused, just
that Time Warner Cable/Road Runner have decided you shouldn't be running
a mail server on that IP address range.

Sspamhaus.org is a hugely popular list so this is going to be a big
problem for you.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-10-2008, 04:49 PM
John R Pierce
 
Default pop3 attack

Ned Slider wrote:
> Bill Campbell wrote:
>
>> Your IP address, 70.62.90.185, is listed on zen.spamhaus.org, and
>> you can probably go to their web site to see why it's listed.
>>
>
> It's listed on zen.spamhaus.org because it's in pbl.spamhaus.org which
> is a policy blocklist:
>
> http://www.spamhaus.org/pbl/query/PBL238253
>
> Time Warner Cable/Road Runner's policy is not to permit outbound email
> for this IP address range.
>

so, using a roadrunner mail server as a "smarthost" is the only viable
choice


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-10-2008, 05:05 PM
Bill Campbell
 
Default pop3 attack

On Wed, Dec 10, 2008, John R Pierce wrote:
>Ned Slider wrote:
>> Bill Campbell wrote:
>>
>>> Your IP address, 70.62.90.185, is listed on zen.spamhaus.org, and
>>> you can probably go to their web site to see why it's listed.
>>>
>>
>> It's listed on zen.spamhaus.org because it's in pbl.spamhaus.org which
>> is a policy blocklist:
>>
>> http://www.spamhaus.org/pbl/query/PBL238253
>>
>> Time Warner Cable/Road Runner's policy is not to permit outbound email
>> for this IP address range.
>
>so, using a roadrunner mail server as a "smarthost" is the only viable
>choice

Or some other server where they are willing to whitelist that
address. We do this for several of our customers who are on
networks that have delivery problems of one kind or another,
usually on a port other that 25 to get around outgoing blocks or
automatic redirection to a broadband provider's server.

Bill
--
INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
Voice: (206) 236-1676 Mercer Island, WA 98040-0820
Fax: (206) 232-9186

Currencies do not float, they sink at different rates.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 07:28 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org