FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 05-24-2010, 04:31 PM
David Baron
 
Default Mail errors or attacks?

I get a zillion of these, every single day, about every 5 minutes or so:

2010-05-24 15:05:38 SMTP call from localhost (dovidhalevi) [127.0.0.1]
dropped: too many syntax or protocol errors (last command was "MAIL
FROM:<jameswellington000.org@[71.121.223.194]> SIZE=8814")

I am running exim4 heavy on a Sid box.

Exim shows no stuck messages or such. How can I stop this?


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201005241931.12558.d_baron@012.net.il">http://lists.debian.org/201005241931.12558.d_baron@012.net.il
 
Old 05-24-2010, 06:03 PM
Ron Johnson
 
Default Mail errors or attacks?

On 05/24/2010 11:31 AM, David Baron wrote:

I get a zillion of these, every single day, about every 5 minutes or so:

2010-05-24 15:05:38 SMTP call from localhost (dovidhalevi) [127.0.0.1]
dropped: too many syntax or protocol errors (last command was "MAIL
FROM:<jameswellington000.org@[71.121.223.194]> SIZE=8814")

I am running exim4 heavy on a Sid box.

Exim shows no stuck messages or such. How can I stop this?



Is dovidhalevi in your domain? What about 71.121.223.194?

Incoming mail or outgoing?

--
Dissent is patriotic, remember?


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4BFABF58.9090806@cox.net">http://lists.debian.org/4BFABF58.9090806@cox.net
 
Old 05-24-2010, 06:34 PM
Michelle Konzack
 
Default Mail errors or attacks?

Hello David Baron,

Am 2010-05-24 19:31:11, hacktest Du folgendes herunter:
> I get a zillion of these, every single day, about every 5 minutes or so:
>
> 2010-05-24 15:05:38 SMTP call from localhost (dovidhalevi) [127.0.0.1]
> dropped: too many syntax or protocol errors (last command was "MAIL
> FROM:<jameswellington000.org@[71.121.223.194]> SIZE=8814")
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> I am running exim4 heavy on a Sid box.
>
> Exim shows no stuck messages or such. How can I stop this?

It is a spamer...

It it is always the same IP, add it to the backlist.

Thanks, Greetings and nice Day/Evening
Michelle Konzack

--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux

itsystems@tdnet France EURL itsystems@tdnet UG (limited liability)
Owner Michelle Konzack Owner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France 77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

<http://www.itsystems.tamay-dogan.net/> <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/> <http://www.can4linux.org/>

Jabber linux4michelle@jabber.ccc.de
ICQ #328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/
 
Old 05-25-2010, 03:53 PM
David Baron
 
Default Mail errors or attacks?

On Monday 24 May 2010 22:57:12 debian-user-digest-request@lists.debian.org
wrote:
> > I get a zillion of these, every single day, about every 5 minutes or so:
> >
> > 2010-05-24 15:05:38 SMTP call from localhost (dovidhalevi) [127.0.0.1]
> > dropped: too many syntax or protocol errors (last command was "MAIL
> > FROM:<jameswellington000.org@[71.121.223.194]> SIZE=8814")
> >
> > I am running exim4 heavy on a Sid box.
> >
> > Exim shows no stuck messages or such. How can I stop this?
>
> Is dovidhalevi in your domain? What about 71.121.223.194?
>
> Incoming mail or outgoing?

I assume these are incoming from 71.121.223.194, jameswellington000.org.
Or this message somehow is stuck in limbo and being processed over and over
(it is always the same size, for example).

The dovidhalevi is my machine name, localhost.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201005251853.55051.d_baron@012.net.il">http://lists.debian.org/201005251853.55051.d_baron@012.net.il
 
Old 05-25-2010, 03:58 PM
David Baron
 
Default Mail errors or attacks?

On Monday 24 May 2010 22:57:12 debian-user-digest-request@lists.debian.org
wrote:
> > I get a zillion of these, every single day, about every 5 minutes or so:
> >
> >
> > 2010-05-24 15:05:38 SMTP call from localhost (dovidhalevi) [127.0.0.1]
> > dropped: too many syntax or protocol errors (last command was "MAIL
> > FROM:<jameswellington000.org@[71.121.223.194]> SIZE=8814")
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> > I am running exim4 heavy on a Sid box.
> >
> >
> >
> > Exim shows no stuck messages or such. How can I stop this?
>
> It is a spamer...
>
> It it is always the same IP, add it to the backlist

How do I do this obvious task? In exim? I have fail2ban as well but this is
not catching this one.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201005251858.06957.d_baron@012.net.il">http://lists.debian.org/201005251858.06957.d_baron@012.net.il
 
Old 05-25-2010, 05:03 PM
John
 
Default Mail errors or attacks?

On 25/05/10, David Baron (d_baron@012.net.il) wrote:
| > > I get a zillion of these, every single day, about every 5 minutes or so:
| > >
| > >
| > > 2010-05-24 15:05:38 SMTP call from localhost (dovidhalevi) [127.0.0.1]
| > > dropped: too many syntax or protocol errors (last command was "MAIL
| > > FROM:<jameswellington000.org@[71.121.223.194]> SIZE=8814")
| >
| > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| >
| > > I am running exim4 heavy on a Sid box.
| > >
| > >
| > >
| > > Exim shows no stuck messages or such. How can I stop this?
| >
| > It is a spamer...
| >
| > It it is always the same IP, add it to the backlist
|
| How do I do this obvious task? In exim? I have fail2ban as well but this is
| not catching this one.

Have you tried adding

/sbin/iptables -I INPUT -s 71.121.223.194 -j DROP

to /etc/init.d/iptables.rules?

--
JohnRChamplin@columbus.rr.com
================================================== ==
GPG key 1024D/99421A63 2005-01-05
EE51 79E9 F244 D734 A012 1CEC 7813 9FE9 9942 1A63
gpg --keyserver subkeys.pgp.net --recv-keys 99421A63
 
Old 05-25-2010, 05:20 PM
deloptes
 
Default Mail errors or attacks?

David Baron wrote:

>>
>> It it is always the same IP, add it to the backlist
>
> How do I do this obvious task? In exim? I have fail2ban as well but this
> is not catching this one.

IF you are heavy user implement amavis-new (We've been using this in our
company since 2002 with great success - we have kaspersky commercial,
spamassessing and clamav configured in amavis and we are training
spamassessing once a month - it's just great - paranoid linux users use
bogofilter - with bayesian prob.)

answer to your question:

man exim4-config_files

/etc/exim4/local_host_blacklist
is an optional file containing a list of IP addresses, networks and
host names whose messages will be denied with the error
message "locally
blacklisted". This is a full exim 4 host list, and all available
features can be used. This includes negative items, and so it is possible
to
exclude addresses from being blacklisted. For convenience, as an
additional method to whitelist addresses from being blocked, an
explicit
whitelist is read in from /etc/exim4/local_host_whitelist. Entries in
the whitelist override corresponding blacklist entries.

regards


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: hth0sv$utn$1@dough.gmane.org">http://lists.debian.org/hth0sv$utn$1@dough.gmane.org
 
Old 05-25-2010, 06:13 PM
David Baron
 
Default Mail errors or attacks?

On Tuesday 25 May 2010 20:06:29 debian-user-digest-request@lists.debian.org
wrote:
> | > It is a spamer...
> | >
> | >
> | >
> | > It it is always the same IP, add it to the backlist
> |
> |
> |
> | How do I do this obvious task? In exim? I have fail2ban as well but this
> | is not catching this one.
>
> Have you tried adding
>
> /sbin/iptables -I INPUT -s 71.121.223.194 -j DROP
>
> to /etc/init.d/iptables.rules?

I do not have this.
I am (still) using the guarddog (kde3) firewall which sets the iptables rules.
There is no "active" rules set otherwise.

I could make it, but I think that the guarddog would override. I could add
this after the fact, however. I will try it.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201005252113.04860.d_baron@012.net.il">http://lists.debian.org/201005252113.04860.d_baron@012.net.il
 
Old 05-25-2010, 06:27 PM
Pete
 
Default Mail errors or attacks?

On 25/05/2010 16:58, David Baron wrote:

On Monday 24 May 2010 22:57:12 debian-user-digest-request@lists.debian.org
wrote:

I get a zillion of these, every single day, about every 5 minutes or so:


2010-05-24 15:05:38 SMTP call from localhost (dovidhalevi) [127.0.0.1]
dropped: too many syntax or protocol errors (last command was "MAIL
FROM:<jameswellington000.org@[71.121.223.194]> SIZE=8814")


^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


I am running exim4 heavy on a Sid box.



Exim shows no stuck messages or such. How can I stop this?


It is a spamer...

It it is always the same IP, add it to the backlist


How do I do this obvious task? In exim? I have fail2ban as well but this is
not catching this one.


Hello,

You could try this as root :

# cd /etc/exim4

# touch local_host_blacklist

# touch local_host_whitelist

# touch local_sender_blacklist

# touch local_sender_whitelist

# chown rootebian-exim local_*

# chmod 640 local_*

I've created these files on my Debian Lenny box and they work very well.
For the 'local_host_blacklist' file I add entries such as :


*.spammer.host
xxx.xxx.xxx.x/24
xxx.xxx.xxx.xxx

For the 'local_sender_blacklist' I add entries such as :

*@spammer.example
*@spamoverload.invalid
!crisisofconscience@spamoverload.invalid

In the above example the last entry would be an exception and would not
be blocked. Alternatively I could add that entry to
'local_sender_whitelist' for the same effect.



Also check out this web page for some really in-depth examples of spam
filtering with Exim :


http://www.sput.nl/software/exim.html


When trying out new filters you can use 'warn' instead of 'deny' which
will just add a header to the email message rather than reject it at
SMTP time. The header inserted is the contents of the 'message' line :


warn
message = X-Spam-Header1: This mail failed on spam test 1.

.. rest of acl ...


Hope this helps.

Regards,

Pete.










--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4BFC16A3.6030709@nrth.org">http://lists.debian.org/4BFC16A3.6030709@nrth.org
 
Old 05-25-2010, 06:38 PM
deloptes
 
Default Mail errors or attacks?

David Baron wrote:

>> | How do I do this obvious task? In exim? I have fail2ban as well but
>> | this is *not catching this one.

man exim4-config_files

/etc/exim4/local_host_blacklist
is an optional file containing a list of IP addresses, networks and
host names whose messages will be denied with the error
message "locally
blacklisted".

and read my other posting

regards


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: hth5e8$hdr$2@dough.gmane.org">http://lists.debian.org/hth5e8$hdr$2@dough.gmane.org
 

Thread Tools




All times are GMT. The time now is 11:19 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org