I was looking at my maillog and it looks like someone is trying to get into my pop3 server.
Dec 9 15:28:54 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 Dec 9 15:29:08 mailserver dovecot: pop3-login: Aborted login: user=<alfonso>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 Dec 9 15:29:14 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 Dec 9 15:29:18 mailserver dovecot: pop3-login: Aborted login: user=<alfonso>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 Dec 9 15:29:36 mailserver dovecot: pop3-login: Aborted login: user=<alfred>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2
How worried should I bee about this? Any suggestions for dealing with it?
Thanks, James
On Tue, Dec 09, 2008, James Pifer wrote:
I was looking at my maillog and it looks like someone is trying to get into my pop3 server.
Dec 9 15:28:54 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 Dec 9 15:29:08 mailserver dovecot: pop3-login: Aborted login: user=<alfonso>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 Dec 9 15:29:14 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 Dec 9 15:29:18 mailserver dovecot: pop3-login: Aborted login: user=<alfonso>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 Dec 9 15:29:36 mailserver dovecot: pop3-login: Aborted login: user=<alfred>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2
How worried should I bee about this? Any suggestions for dealing with it?
If your users all have good passwords, it isn't much to worry about, but then users having good passwords is not all that common.
Once the cracker finds an account with a guessable password, they may well be able to get access to your system as that user via ssh, webmin, usermin, or other means. Given shell access, the cracker can install user-level IRC servers or gain root access via exploits that only work for local users. I have seen cases where crackers were able to change user shells and other information via usermin or webmin by exploiting vulnerabilities in system utilities thus gaining access to the system.
Setting all users shells to /bin/false where they don't need to have shell access helps towards securing the systems, although this may not be sufficient (I saw a system where /bin/false had been replaced with /bin/bash).
You should also notify abuse@covad.com about these attempts from their network sending them the log entries with the your local time zone so they may be able to figure out which of there users was doing this.
Bill
Bill Campbell wrote:
On Tue, Dec 09, 2008, James Pifer wrote:
I was looking at my maillog and it looks like someone is trying to get into my pop3 server.
Dec 9 15:28:54 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 Dec 9 15:29:08 mailserver dovecot: pop3-login: Aborted login: user=<alfonso>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 Dec 9 15:29:14 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 Dec 9 15:29:18 mailserver dovecot: pop3-login: Aborted login: user=<alfonso>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 Dec 9 15:29:36 mailserver dovecot: pop3-login: Aborted login: user=<alfred>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2
How worried should I bee about this? Any suggestions for dealing with it?
If your users all have good passwords, it isn't much to worry about, but then users having good passwords is not all that common.
Once the cracker finds an account with a guessable password, they may well be able to get access to your system as that user via ssh, webmin, usermin, or other means. Given shell access, the cracker can install user-level IRC servers or gain root access via exploits that only work for local users. I have seen cases where crackers were able to change user shells and other information via usermin or webmin by exploiting vulnerabilities in system utilities thus gaining access to the system.
I saw a similar thing attacking smtp-auth (SASL) recently. The moral being that any service that authenticates with a username/password is open to brute forcing attacks - it's not just ssh we need worry about.
On Dec 9, 2008, at 2:33 PM, Bill Campbell wrote:
Once the cracker finds an account with a guessable password, they may well be able to get access to your system as that user via ssh, webmin, usermin, or other means. Given shell access, the cracker can install user- level IRC servers or gain root access via exploits that only work for local users. I have seen cases where crackers were able to change user shells and other information via usermin or webmin by exploiting vulnerabilities in system utilities thus gaining access to the system.
You can keep compromised accounts from logging in via ssh with the "AllowUsers" option in your /etc/ssh/sshd_config file. Add that option followed by a list of user names that you want to be able to log in, ex:
# Only let Fred Guru and Joe Admin in, block anyone # else even if they have a valid password. AllowUsers fred joe
And you should also set "PermitRootLogin no" while you are in sshd_config.
Be sure to do a "service sshd restart" after you change the file, and do a test login _before_ you log out of your current session. Saves cursing and late night drives to remote servers in case sshd barfs somehow :-)
--Chris
On Tue, Dec 09, 2008, Chris Boyd wrote:
On Dec 9, 2008, at 2:33 PM, Bill Campbell wrote:
Once the cracker finds an account with a guessable password, they may well be able to get access to your system as that user via ssh, webmin, usermin, or other means. Given shell access, the cracker can install user- level IRC servers or gain root access via exploits that only work for local users. I have seen cases where crackers were able to change user shells and other information via usermin or webmin by exploiting vulnerabilities in system utilities thus gaining access to the system.
You can keep compromised accounts from logging in via ssh with the "AllowUsers" option in your /etc/ssh/sshd_config file. Add that option followed by a list of user names that you want to be able to log in, ex:
By the time you know the user has been compromised, it's too late.
We normally don't allow password authentication with ssh, requiring authorized_keys. In the cases where we have to allow password authentication, we severely restrict ssh acces using the /etc/hosts.allow file.
Bill
Chris Boyd wrote:
You can keep compromised accounts from logging in via ssh with the "AllowUsers" option in your /etc/ssh/sshd_config file. Add that option followed by a list of user names that you want to be able to log in, ex:
# Only let Fred Guru and Joe Admin in, block anyone # else even if they have a valid password. AllowUsers fred joe
And you should also set "PermitRootLogin no" while you are in sshd_config.
Be sure to do a "service sshd restart" after you change the file, and do a test login _before_ you log out of your current session. Saves cursing and late night drives to remote servers in case sshd barfs somehow :-)
--Chris
Nice tip - AllowUsers added to the Wiki page on securing SSH:
http://wiki.centos.org/HowTos/Network/SecuringSSH
Thanks!
Ned
Ned Slider wrote:
Chris Boyd wrote:
You can keep compromised accounts from logging in via ssh with the "AllowUsers" option in your /etc/ssh/sshd_config file. Add that option followed by a list of user names that you want to be able to log in, ex:
# Only let Fred Guru and Joe Admin in, block anyone # else even if they have a valid password. AllowUsers fred joe
And you should also set "PermitRootLogin no" while you are in sshd_config.
Be sure to do a "service sshd restart" after you change the file, and do a test login _before_ you log out of your current session. Saves cursing and late night drives to remote servers in case sshd barfs somehow :-)
--Chris
Nice tip - AllowUsers added to the Wiki page on securing SSH:
http://wiki.centos.org/HowTos/Network/SecuringSSH
Thanks!
Ned
I don't have many clients that actually need or use ssh. I control it via hosts.allow and hosts.deny
For instance.
cat hosts.deny # # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # The portmap line is redundant, but it is left to remind you that # the new secure portmap uses hosts.deny and hosts.allow. In particular # you should know that NFS uses portmap!
sshd : ALL
cat hosts.allow # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. #
sshd : 192.555.555. : allow sshd : 192.555.55.555 : allow sshd : localhost : allow
Of course the IP addresses have been changed to protect the......
In hosts.allow, the first line is an example of opening sshd to any IP address in that class C The second line, an example to specific IP addresses and the third to localhost (and I don't remember why I needed to add that but it was an internal program)
John Hinton
On Tue, Dec 9, 2008 at 2:17 PM, James Pifer jep@obrien-pifer.com wrote:
I was looking at my maillog and it looks like someone is trying to get into my pop3 server.
Dec 9 15:28:54 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 Dec 9 15:29:08 mailserver dovecot: pop3-login: Aborted login: user=<alfonso>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 Dec 9 15:29:14 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 Dec 9 15:29:18 mailserver dovecot: pop3-login: Aborted login: user=<alfonso>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 Dec 9 15:29:36 mailserver dovecot: pop3-login: Aborted login: user=<alfred>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2
How worried should I bee about this? Any suggestions for dealing with it?
From the log snippet, it does not appear to be a distributed attack.
Block 66.167.184.203 at the router
On Tue, Dec 9, 2008 at 3:17 PM, James Pifer jep@obrien-pifer.com wrote:
I was looking at my maillog and it looks like someone is trying to get into my pop3 server.
<snip>
About 5 or 6 years ago, I couldn't access my POP3 mail on my web site. When I contacted OLM Tech Support, they discovered that someone was trying to access the POP3, every second......
How worried should I bee about this? Any suggestions for dealing with it?
I'm not sure how they eliminated the problem. Hopefully, a much more knowledgeable person here will respond to you.
Thanks to all. For now I've stopped it using iptables. I tried stopping it at my router without success, yet another reason to replace it! I will also report it to abuse@covad.net.
Thanks, James
On Tue, Dec 9, 2008 at 4:26 PM, James Pifer jep@obrien-pifer.com wrote:
Thanks to all. For now I've stopped it using iptables. I tried stopping it at my router without success, yet another reason to replace it! I will also report it to abuse@covad.net.
Great. Scott can tell you whether or not if you switch to IPCop as your Firewall/Router, that would stop it. As I recall, IPCop considers things originating within your LAN OK, and things from outside as suspicious.
IPCop won't stop it. It will let you put a firewall rule in to block them, but you can do that with regular iptables.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Lanny Marcus Sent: Tuesday, December 09, 2008 6:12 PM To: CentOS mailing list Subject: Re: [CentOS] pop3 attack
On Tue, Dec 9, 2008 at 4:26 PM, James Pifer jep@obrien-pifer.com wrote:
Thanks to all. For now I've stopped it using iptables. I tried stopping it at my router without success, yet another reason to replace it! I will also report it to abuse@covad.net.
Great. Scott can tell you whether or not if you switch to IPCop as your Firewall/Router, that would stop it. As I recall, IPCop considers things originating within your LAN OK, and things from outside as suspicious. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
on 12-9-2008 3:11 PM Lanny Marcus spake the following:
On Tue, Dec 9, 2008 at 4:26 PM, James Pifer jep-2I/IFv/jpUMre736sURT7g@public.gmane.org wrote:
Thanks to all. For now I've stopped it using iptables. I tried stopping it at my router without success, yet another reason to replace it! I will also report it to abuse@covad.net.
Great. Scott can tell you whether or not if you switch to IPCop as your Firewall/Router, that would stop it. As I recall, IPCop considers things originating within your LAN OK, and things from outside as suspicious.
I don't run my servers through IPCop. It is just for internet access and office to office tunnels. It is a lot easier to set up and do things then the Siemens T1 router I am stuck with at the demark. Its firewall language seems just different enough to give me fits when I use it. And I don't hose everything with one fat-fingered typo.
On Tue, Dec 9, 2008 at 6:33 PM, Scott Silva ssilva@sgvwater.com wrote:
on 12-9-2008 3:11 PM Lanny Marcus spake the following:
<snip>
I don't run my servers through IPCop. It is just for internet access and office to office tunnels. It is a lot easier to set up and do things then the Siemens T1 router I am stuck with at the demark. Its firewall language seems just different enough to give me fits when I use it. And I don't hose everything with one fat-fingered typo.
And the folks who wrote the Proprietary Language for your T1 Router thought that it was perfect. :-)
on 12-9-2008 4:06 PM Lanny Marcus spake the following:
On Tue, Dec 9, 2008 at 6:33 PM, Scott Silva ssilva-m4n3GYAQT2lWk0Htik3J/w@public.gmane.org wrote:
on 12-9-2008 3:11 PM Lanny Marcus spake the following:
<snip> > I don't run my servers through IPCop. It is just for internet access and > office to office tunnels. It is a lot easier to set up and do things then the > Siemens T1 router I am stuck with at the demark. Its firewall language seems > just different enough to give me fits when I use it. And I don't hose > everything with one fat-fingered typo.
And the folks who wrote the Proprietary Language for your T1 Router thought that it was perfect. :-)
I think they thought it was perfect for their bottom line so they could sell support. Either way, it works so corporate won't replace it. And with the economic slowdown the way it is, it is one battle I'm not going to fight right now.
On Tue, Dec 9, 2008 at 7:17 PM, Scott Silva ssilva@sgvwater.com wrote:
on 12-9-2008 4:06 PM Lanny Marcus spake the following:
On Tue, Dec 9, 2008 at 6:33 PM, Scott Silva ssilva-m4n3GYAQT2lWk0Htik3J/w@public.gmane.org wrote:
on 12-9-2008 3:11 PM Lanny Marcus spake the following:
<snip>
And the folks who wrote the Proprietary Language for your T1 Router thought that it was perfect. :-)
I think they thought it was perfect for their bottom line so they could sell support.
If it is not user friendly, they sell more support to the end users and make more $.
Either way, it works so corporate won't replace it.
If it ain't broke, don't fix it.
And with the economic slowdown the way it is, it is one battle I'm not going to fight right now.
Amen...
On Tue, 2008-12-09 at 16:26 -0500, James Pifer wrote:
Thanks to all. For now I've stopped it using iptables. I tried stopping it at my router without success, yet another reason to replace it! I will also report it to abuse@covad.net.
My issues have gotten worse. Apparently over the last few days my ip address has gotten blacklisted. No idea why. Even though I have a commercial class cable modem service, my ip is residential because it comes to my house. But I've been running my mail server for several years and never had an issue.
I've tried adding these lines to my sendmailmc and rebuilding it, but then nothing routes, not even local.
define(`SMART_HOST',`smtp-server.carolina.rr.com')dnl MASQUERADE_AS(carolina.rr.com)dnl FEATURE(`allmasquerade')dnl FEATURE(`masquerade_envelope')dnl
Now I'm using mailertable and that appears to be working.
I'm not even sure this message with get to this list. Seems like I haven't received any centos list mail in a while. I have on my other lists though.
Any help is appreciated.
Thanks, James
Thanks to all. For now I've stopped it using iptables. I tried stopping it at my router without success, yet another reason to replace it! I will also report it to abuse@covad.net.
My issues have gotten worse. Apparently over the last few days my ip address has gotten blacklisted. No idea why. Even though I have a commercial class cable modem service, my ip is residential because it comes to my house. But I've been running my mail server for several years and never had an issue.
I've tried adding these lines to my sendmailmc and rebuilding it, but then nothing routes, not even local.
define(`SMART_HOST',`smtp-server.carolina.rr.com')dnl MASQUERADE_AS(carolina.rr.com)dnl FEATURE(`allmasquerade')dnl FEATURE(`masquerade_envelope')dnl
Now I'm using mailertable and that appears to be working.
I'm not even sure this message with get to this list. Seems like I haven't received any centos list mail in a while. I have on my other lists though.
My guess is there trying to brute force POP3 passwords so they can use authenticated SMTP on your server to send SPAM. Common tactic.
What are you using for a MTA? What about webmail?
Matt
James Pifer wrote:
On Tue, 2008-12-09 at 16:26 -0500, James Pifer wrote:
Thanks to all. For now I've stopped it using iptables. I tried stopping it at my router without success, yet another reason to replace it! I will also report it to abuse@covad.net.
My issues have gotten worse. Apparently over the last few days my ip address has gotten blacklisted. No idea why. Even though I have a commercial class cable modem service, my ip is residential because it comes to my house. But I've been running my mail server for several years and never had an issue.
I've tried adding these lines to my sendmailmc and rebuilding it, but then nothing routes, not even local.
define(`SMART_HOST',`smtp-server.carolina.rr.com')dnl MASQUERADE_AS(carolina.rr.com)dnl FEATURE(`allmasquerade')dnl FEATURE(`masquerade_envelope')dnl
Now I'm using mailertable and that appears to be working.
I'm not even sure this message with get to this list. Seems like I haven't received any centos list mail in a while. I have on my other lists though.
Any help is appreciated.
Thanks, James
James,
Are you using bounce instead of reject anywhere on the system? If so, they can bounce their spam to anyone off of your server... also a common tactic. Also, things like mailforms on the server with autoresponders can also be a source of abuse. If they autorespond with the message input included, it's just a matter of using the email address you want to spam in that form. If the form doesn't have some good checks and balances, like Captcha, it's wide open for abuse by bots. Even captcha needs to be tough as they are using OCR to bust through easy to read captcha images.
If you are being blacklisted, email is almost certainly coming out of your server which contains spam. Depending on the lists, it could be spewing a lot.
You may wish to have postmaster and abuse addresses open on that system and actually look at them... These are RFCs that should be followed anyway... as to whether or not you read them...... But I do watch the postmaster email for 'quantity changes'. If it rises suddenly, somebody is playing.
Good luck, John Hinton
On Wed, 10 Dec 2008 12:02:22 -0500 John Hinton wrote:
If you are being blacklisted, email is almost certainly coming out of your server which contains spam. Depending on the lists, it could be spewing a lot.
Not necessarily. I had one helluva time getting my mailserver off of the SORBS dynamic IP blacklist. Regardless of the fact that it is and has always been on a static IP address and it returns the word "static" in a reverse lookup, and it's always lived in a static netblock issued by my ISP, it took me well over a year of dealing with everyone under the sun (except for the SORBS people themselves, who appear to be impossible to contact and ignore all help and support requests sent though their website) to get off of that list.
So SORBS, at least, is a problem and I've lost faith in their blacklist to help me sort spam from legitimate email.
On the other hand, if the OP's blacklisting has just now started and it wasn't that way before, then I agree that he likely does have a local problem.
On Wed, Dec 10, 2008, James Pifer wrote:
On Tue, 2008-12-09 at 16:26 -0500, James Pifer wrote:
Thanks to all. For now I've stopped it using iptables. I tried stopping it at my router without success, yet another reason to replace it! I will also report it to abuse@covad.net.
My issues have gotten worse. Apparently over the last few days my ip address has gotten blacklisted. No idea why. Even though I have a commercial class cable modem service, my ip is residential because it comes to my house. But I've been running my mail server for several years and never had an issue.
Your IP address, 70.62.90.185, is listed on zen.spamhaus.org, and you can probably go to their web site to see why it's listed.
I have see quite a few cases where spam is sent from webmail accounts (mostly squirrelmail) by crackers who get access via weak passwords found by imap/pop probes as you described.
It's been my experience in the 15 years we have been doing support for regional ISPs that well over 50% of their user's passwords are easily cracked, and that getting the users to use good passwords is difficult to say the least.
Bill
I have see quite a few cases where spam is sent from webmail accounts (mostly squirrelmail) by crackers who get access via weak passwords found by imap/pop probes as you described.
It's been my experience in the 15 years we have been doing support for regional ISPs that well over 50% of their user's passwords are easily cracked, and that getting the users to use good passwords is difficult to say the least.
Seen that too. Spammers must send out millions of messages to make any money. One good solution is ratelimiting at the MTA. Exim allows you to setup limits on the number of recipients a given IP can send messages to in a given time period. Squirrelmail has a plugin that does the same. That way if they break in to an account but can only send a few hundred messages a day its not worth there time. Less likely to get the server blacklisted as well. Its also good to configure Squirrelmail not to allow them to alter the return email address on the Squirrelmail account.
Matt
Bill Campbell wrote:
On Wed, Dec 10, 2008, James Pifer wrote:
My issues have gotten worse. Apparently over the last few days my ip address has gotten blacklisted. No idea why. Even though I have a commercial class cable modem service, my ip is residential because it comes to my house. But I've been running my mail server for several years and never had an issue.
Your IP address, 70.62.90.185, is listed on zen.spamhaus.org, and you can probably go to their web site to see why it's listed.
It's listed on zen.spamhaus.org because it's in pbl.spamhaus.org which is a policy blocklist:
http://www.spamhaus.org/pbl/query/PBL238253
Time Warner Cable/Road Runner's policy is not to permit outbound email for this IP address range.
There is no indication your server has been compromised or abused, just that Time Warner Cable/Road Runner have decided you shouldn't be running a mail server on that IP address range.
Sspamhaus.org is a hugely popular list so this is going to be a big problem for you.
Ned Slider wrote:
Bill Campbell wrote:
Your IP address, 70.62.90.185, is listed on zen.spamhaus.org, and you can probably go to their web site to see why it's listed.
It's listed on zen.spamhaus.org because it's in pbl.spamhaus.org which is a policy blocklist:
http://www.spamhaus.org/pbl/query/PBL238253
Time Warner Cable/Road Runner's policy is not to permit outbound email for this IP address range.
so, using a roadrunner mail server as a "smarthost" is the only viable choice
On Wed, Dec 10, 2008, John R Pierce wrote:
Ned Slider wrote:
Bill Campbell wrote:
Your IP address, 70.62.90.185, is listed on zen.spamhaus.org, and you can probably go to their web site to see why it's listed.
It's listed on zen.spamhaus.org because it's in pbl.spamhaus.org which is a policy blocklist:
http://www.spamhaus.org/pbl/query/PBL238253
Time Warner Cable/Road Runner's policy is not to permit outbound email for this IP address range.
so, using a roadrunner mail server as a "smarthost" is the only viable choice
Or some other server where they are willing to whitelist that address. We do this for several of our customers who are on networks that have delivery problems of one kind or another, usually on a port other that 25 to get around outgoing blocks or automatic redirection to a broadband provider's server.
Bill
so, using a roadrunner mail server as a "smarthost" is the only viable choice
I looked at it too. On PBL. So it's possible that Time Warner just recently updated the list or something?
Anyway, I tried setting up smarthost and was not able to get it to work, but I was successful setting up mailertable for .com, .net, and .org so these are being relayed through time warner's mail server. That should cover most of it.
I'm watching my maillog today and I don't see anything out of the ordinary.
James
James Pifer wrote on Wed, 10 Dec 2008 13:26:53 -0500:
Anyway, I tried setting up smarthost and was not able to get it to work,
You should then contact their support. It got to work.
Kai
On Wed, Dec 10, 2008 at 12:40 PM, Ned Slider ned@unixmail.co.uk wrote:
Bill Campbell wrote:
<snip>
Your IP address, 70.62.90.185, is listed on zen.spamhaus.org, and you can probably go to their web site to see why it's listed.
It's listed on zen.spamhaus.org because it's in pbl.spamhaus.org which is a policy blocklist:
http://www.spamhaus.org/pbl/query/PBL238253
Time Warner Cable/Road Runner's policy is not to permit outbound email for this IP address range.
There is no indication your server has been compromised or abused, just that Time Warner Cable/Road Runner have decided you shouldn't be running a mail server on that IP address range.
Sspamhaus.org is a hugely popular list so this is going to be a big problem for you.
Spamhaus for sure is hugely popular. My web hosting ISP (OLM in CT) started using it and I was having problems using SMTP, because the Dynamic IP's we were getting from our local ISP were frequently listed on Spamhaus. I gave up and began using Gmail. No problems sending email now. :-)
Bill Campbell wrote on Wed, 10 Dec 2008 09:16:58 -0800:
Your IP address, 70.62.90.185, is listed on zen.spamhaus.org, and you can probably go to their web site to see why it's listed.
Well, it's not his fault:
http://www.spamhaus.org/pbl/query/PBL238253
Roadrunner is not meant for mailservers. I have been blocking them already for years.
Kai
on 12-10-2008 9:16 AM Bill Campbell spake the following:
On Wed, Dec 10, 2008, James Pifer wrote:
On Tue, 2008-12-09 at 16:26 -0500, James Pifer wrote:
Thanks to all. For now I've stopped it using iptables. I tried stopping it at my router without success, yet another reason to replace it! I will also report it to abuse@covad.net.
My issues have gotten worse. Apparently over the last few days my ip address has gotten blacklisted. No idea why. Even though I have a commercial class cable modem service, my ip is residential because it comes to my house. But I've been running my mail server for several years and never had an issue.
Your IP address, 70.62.90.185, is listed on zen.spamhaus.org, and you can probably go to their web site to see why it's listed.
This address is on the PBL because Time Warner says it shouldn't be sending e-mail. He will have to use roadrunners smarthost, and see if they allow it. If they consider it a residential account, their AUP probably bans running any servers anyway, so he will have to deal with them.
on 12-10-2008 8:02 AM James Pifer spake the following:
On Tue, 2008-12-09 at 16:26 -0500, James Pifer wrote:
Thanks to all. For now I've stopped it using iptables. I tried stopping it at my router without success, yet another reason to replace it! I will also report it to abuse@covad.net.
My issues have gotten worse. Apparently over the last few days my ip address has gotten blacklisted. No idea why. Even though I have a commercial class cable modem service, my ip is residential because it comes to my house. But I've been running my mail server for several years and never had an issue.
I've tried adding these lines to my sendmailmc and rebuilding it, but then nothing routes, not even local.
define(`SMART_HOST',`smtp-server.carolina.rr.com')dnl MASQUERADE_AS(carolina.rr.com)dnl FEATURE(`allmasquerade')dnl FEATURE(`masquerade_envelope')dnl
Now I'm using mailertable and that appears to be working.
I'm not even sure this message with get to this list. Seems like I haven't received any centos list mail in a while. I have on my other lists though.
Any help is appreciated.
Thanks, James
I think all the masquerade options are causing your problems. Just set the proper smarthost and restore the other options to what they were and then test.
Scott Silva wrote:
on 12-10-2008 8:02 AM James Pifer spake the following:
On Tue, 2008-12-09 at 16:26 -0500, James Pifer wrote:
Thanks to all. For now I've stopped it using iptables. I tried stopping it at my router without success, yet another reason to replace it! I will also report it to abuse@covad.net.
My issues have gotten worse. Apparently over the last few days my ip address has gotten blacklisted. No idea why. Even though I have a commercial class cable modem service, my ip is residential because it comes to my house. But I've been running my mail server for several years and never had an issue.
I've tried adding these lines to my sendmailmc and rebuilding it, but then nothing routes, not even local.
define(`SMART_HOST',`smtp-server.carolina.rr.com')dnl MASQUERADE_AS(carolina.rr.com)dnl FEATURE(`allmasquerade')dnl FEATURE(`masquerade_envelope')dnl
Now I'm using mailertable and that appears to be working.
I'm not even sure this message with get to this list. Seems like I haven't received any centos list mail in a while. I have on my other lists though.
Any help is appreciated.
Thanks, James
I think all the masquerade options are causing your problems. Just set the proper smarthost and restore the other options to what they were and then test.
Or switch to postfix. I plunked "relayhost = smtp-server.roadrunner.com" into main.cf & away it went.
define(`SMART_HOST',`smtp-server.carolina.rr.com')dnl MASQUERADE_AS(carolina.rr.com)dnl
Or switch to postfix. I plunked "relayhost = smtp-server.roadrunner.com" into main.cf & away it went.
why change software just because one configuration line is different?
why change software just because one configuration line is different?
Main point was the RR relay host works.
So your solution is to change software?
Wouldn't it be smarter to figure out what the problem actually is? Because as you say, the RR host doesn't appear to be the problem. So if he changed software, what are the chances that his problem will still exist? Pretty high I imagine.
Even if it turns out the RR host *is* the problem, what would he achieve in changing software?
Let me do the math: zero, multiplied by zero, carry the zero...
Spiro Harvey wrote on Thu, 11 Dec 2008 11:33:24 +1300:
Let me do the math: zero, multiplied by zero, carry the zero...
It's simpler for non-experts to change the postfix configuration than to change the sendmail configuration. So, why shouldn't he not suggest it?
Kai
on 12-10-2008 4:32 PM Kai Schaetzl spake the following:
Spiro Harvey wrote on Thu, 11 Dec 2008 11:33:24 +1300:
Let me do the math: zero, multiplied by zero, carry the zero...
It's simpler for non-experts to change the postfix configuration than to change the sendmail configuration. So, why shouldn't he not suggest it?
Kai
But not simple for a non-expert to completely change MTA's, and learn new from scratch.
It's simpler for non-experts to change the postfix configuration than to change the sendmail configuration. So, why shouldn't he not suggest it?
because it's stupid, lazy advice.
1: it's easy for non-experts to edit the sendmail configuration too... as long as they're editing the mc file, not the cf.
2: changing software doesn't help solve the problem.
3: what if he has a bunch of milters or related programs that rely on sendmail? are they all available for postfix? what needs to be changed to match his current environment? have you thought about that? has anyone asked James that before recommending he changes his software?
Spiro Harvey wrote:
It's simpler for non-experts to change the postfix configuration than to change the sendmail configuration. So, why shouldn't he not suggest it?
because it's stupid, lazy advice.
Will it not work? Will it make someone's brain rot and fall out? Could one switch to postfix and still remain a civil person?
Would you be able to imagine the words "If you're tired of sendmail . . " at the beginning of my first post as perhaps an alternate theory to my intent?
sos.net.nz>
Spiro Harvey wrote on Thu, 11 Dec 2008 13:56:04 +1300:
3: what if he has a bunch of milters or related programs that rely on sendmail? are they all available for postfix? what needs to be changed to match his current environment? have you thought about that? has anyone asked James that before recommending he changes his software?
He should know about his system. It was valid advice by Toby and the OP can use it or not. He's possibly got a brain. Apparently you think he doesn't. There was no need to react that snappy.
Kai
On Wed, Dec 10, 2008 at 4:32 PM, Kai Schaetzl maillists@conactive.com wrote:
It's simpler for non-experts to change the postfix configuration than to change the sendmail configuration. So, why shouldn't he not suggest it?
According to my reading of this, you're asking, "Why should he suggest it?"
Is this not the opposite of what you meant? (Rhetorical - I think we understood you anyway.... :-)
mhr
On Thu, Dec 11, 2008, Spiro Harvey wrote:
define(`SMART_HOST',`smtp-server.carolina.rr.com')dnl MASQUERADE_AS(carolina.rr.com)dnl
Or switch to postfix. I plunked "relayhost = smtp-server.roadrunner.com" into main.cf & away it went.
why change software just because one configuration line is different?
I've spent almost 20 years avoiding sendmail :-).
Bill
I think all the masquerade options are causing your problems. Just set the proper smarthost and restore the other options to what they were and then test.
Scott,
Thanks, removing the masquerade options did fix it. I'm back to using smarthost instead of mailertable. Thanks.
Also, thanks to everyone that responded.
James
on 12-11-2008 4:43 AM James Pifer spake the following:
I think all the masquerade options are causing your problems. Just set the proper smarthost and restore the other options to what they were and then test.
Scott,
Thanks, removing the masquerade options did fix it. I'm back to using smarthost instead of mailertable. Thanks.
Also, thanks to everyone that responded.
James
The masquerading options are for a different purpose. I'm glad you got it sorted out.
I added a solved tag for posterity.
The masquerading options are for a different purpose. I'm glad you got it sorted out.
Although I'm able to send mail to most people without a problem using smarthost, I still have a few that bounce back with errors like: Your message was rejected by mail.lance.com for the following reason:
Service unavailable; Client host [cdptpa-omtalb.mail.rr.com] blocked by zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=70.62.90.185
I'm using the smarthost server that I should be using according to the information: define(`SMART_HOST',`smtp-server.carolina.rr.com')dnl
Although I'm in a residential IP range, my connection is Business Class, so sending smtp mail is not restricted (at least contractually).
Why would I still have this problem if I'm using smarthost? Is there a way to resolve it?
Thanks, James
James Pifer wrote:
The masquerading options are for a different purpose. I'm glad you got it sorted out.
Although I'm able to send mail to most people without a problem using smarthost, I still have a few that bounce back with errors like: Your message was rejected by mail.lance.com for the following reason:
Service unavailable; Client host [cdptpa-omtalb.mail.rr.com] blocked by zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=70.62.90.185I'm using the smarthost server that I should be using according to the information: define(`SMART_HOST',`smtp-server.carolina.rr.com')dnl
Although I'm in a residential IP range, my connection is Business Class, so sending smtp mail is not restricted (at least contractually).
Why would I still have this problem if I'm using smarthost? Is there a way to resolve it?
The problem has nothing to do with the Smart host server entry.
Read the information in the URL above and contact your ISP.
At 02:05 PM 3/13/2009, you wrote:
James Pifer wrote:
The masquerading options are for a different purpose. I'm glad you got it sorted out.
Although I'm able to send mail to most people without a problem using smarthost, I still have a few that bounce back with errors like: Your message was rejected by mail.lance.com for the following reason:
Service unavailable; Client host [cdptpa-omtalb.mail.rr.com]blocked by zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=70.62.90.185
I'm using the smarthost server that I should be using according
to the information:
define(`SMART_HOST',`smtp-server.carolina.rr.com')dnl
Although I'm in a residential IP range, my connection is Business
Class, so sending smtp mail is not restricted (at least contractually).
Why would I still have this problem if I'm using smarthost? Is
there a way to resolve it?
The problem has nothing to do with the Smart host server entry.
Read the information in the URL above and contact your ISP.
Adding to that, Your ISP has a lot of zombied, sick clients on it. I find it hard to believe the number of zombied computers on the RoadRunner network trying to hit my mail server. Your upstream ISP server is letting a lot of junk through by lack of control by your ISP. Now, they've been black listed by spamhaus.org for that content.
Unfortunately you chose a bad ISP. Complain to them and/or threaten to take your business elsewhere, but their problem is so large, they probably can't even begin to put a dent in it now!
Glenn
The problem has nothing to do with the Smart host server entry.
Read the information in the URL above and contact your ISP.
I understand the problem is I'm in a residential range of dynamic IP, even though I have commercial class, and I DID read the information in the URL. That's how I verified I am using the right host for smarthost.
From the site:
**** Outbound Email Policy of Time Warner Cable/Road Runner for this IP range:
It is the policy of Time Warner Cable/Road Runner to share with other entities lists of our dynamic IP address space. While Time Warner Cable/Road Runner does not presently forbid customers from sending out mail directly from such space, it recognizes that others may wish to refuse mail from such space, and so Time Warner Cable/Road Runner makes that space known to others to facilitate their enforcement of their policies. Customers finding their mail refused by others due to a PBL listing should send their outbound mail through the outbound mail server designated for them; ****
So this sounds like smarthost. So if it has nothing to do with smarthost, is there a work around for it? The mail is being sent through the ISP's mail server, but the destination mail server is refusing it based on the domain name lookup? Why doesn't the other mail server see it being delivered by the ISP's server and accept it?
I talked to Time Warner support. First guy I talked to gives me the standard line that they don't support linux and he's never heard of sendmail. Ugh!
I finally argued to get the call escalated. This person asked what host I was sending through and felt like that should work. He is going to request the IP get removed from the PBL, but I'm not liking my chances....
RR charges you an extra $50/mo for static ip! I don't have many other choices for a decent high speed connection. DSL is too slow in my area.
James
Hi,
RR charges you an extra $50/mo for static ip! I don't have many other choices for a decent high speed connection. DSL is too slow in my area.
We have some ISP's here in the Netherlands which have spam relayed through their mailservers, which gives the same problem, blacklisted smarthosts of big ISPs. One way to get around it is to get yourself a VPS (virtual private server) for a small amount ($20/month?) and set up your own 'smarthost' (maybe together with some friends/coworkers?). You can then even use a non-standard port to relay your mail through it and even encrypt if you wish. I have my smarthost set up at such a server because my laptop goes around different networks and isps and I don't want to change my configuration every time :)
regards, Michel
On Mar 13, 2009, at 1:49 PM, Michel van Deventer wrote:
One way to get around it is to get yourself a VPS (virtual private server) for a small amount ($20/month?) and set up your own 'smarthost' (maybe together with some friends/coworkers?). You can then even use a non-standard port to relay your mail through it and even encrypt if you wish.
Or you can put a real box in with one of the colos here: http://www.vix.com/personalcolo/
On Fri, 13 Mar 2009, James Pifer wrote:
RR charges you an extra $50/mo for static ip! I don't have many other choices for a decent high speed connection. DSL is too slow in my area.
I have RR Business Class in in upstate NY, and TW charge me $20/mo for a static IP.
Steve
on 3-13-2009 11:53 AM Steve Thompson spake the following:
On Fri, 13 Mar 2009, James Pifer wrote:
RR charges you an extra $50/mo for static ip! I don't have many other choices for a decent high speed connection. DSL is too slow in my area.
I have RR Business Class in in upstate NY, and TW charge me $20/mo for a static IP.
Steve
I am getting a couple of TW business class connections here for "browsing" bandwidth in California and only the cheapest connection doesn't come with static IP's.
on 3-13-2009 12:36 PM James Pifer spake the following:
The problem has nothing to do with the Smart host server entry.
Read the information in the URL above and contact your ISP.
I understand the problem is I'm in a residential range of dynamic IP, even though I have commercial class, and I DID read the information in the URL. That's how I verified I am using the right host for smarthost.
From the site:
Outbound Email Policy of Time Warner Cable/Road Runner for this IP range:
It is the policy of Time Warner Cable/Road Runner to share with other entities lists of our dynamic IP address space. While Time Warner Cable/Road Runner does not presently forbid customers from sending out mail directly from such space, it recognizes that others may wish to refuse mail from such space, and so Time Warner Cable/Road Runner makes that space known to others to facilitate their enforcement of their policies. Customers finding their mail refused by others due to a PBL listing should send their outbound mail through the outbound mail server designated for them;
So this sounds like smarthost. So if it has nothing to do with smarthost, is there a work around for it? The mail is being sent through the ISP's mail server, but the destination mail server is refusing it based on the domain name lookup? Why doesn't the other mail server see it being delivered by the ISP's server and accept it?
I talked to Time Warner support. First guy I talked to gives me the standard line that they don't support linux and he's never heard of sendmail. Ugh!
I finally argued to get the call escalated. This person asked what host I was sending through and felt like that should work. He is going to request the IP get removed from the PBL, but I'm not liking my chances....
RR charges you an extra $50/mo for static ip! I don't have many other choices for a decent high speed connection. DSL is too slow in my area.
Remember that some mail admins can be pretty anal about what checks they run from their servers. You have absolutely no control over that aspect. All you can hope to achieve is being able to send mail to admins who follow the letter of the RFC's. The rejections on your originating address seem overly done if your mail is sent through the smart hosts, but you have to also check that you are absolutely sure that said mail did actually go through the smarthost. If the rejecting server is someone you deal with regularly, maybe you could get some sort of white listing arrangement.
If you can get mail to the top ISP's like AOL and Yahoo, you are doing pretty well, even if you have to reject the barrage of crap that comes back from them. ;-P
On Fri, 2009-03-13 at 14:51 -0400, James Pifer wrote:
The masquerading options are for a different purpose. I'm glad you got it sorted out.
Although I'm able to send mail to most people without a problem using smarthost, I still have a few that bounce back with errors like: Your message was rejected by mail.lance.com for the following reason:
Service unavailable; Client host [cdptpa-omtalb.mail.rr.com] blocked by zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=70.62.90.185I'm using the smarthost server that I should be using according to the information: define(`SMART_HOST',`smtp-server.carolina.rr.com')dnl
Although I'm in a residential IP range, my connection is Business Class, so sending smtp mail is not restricted (at least contractually).
Why would I still have this problem if I'm using smarthost? Is there a way to resolve it?
I would contact the RR support folks. I think they are the ones that would need to clean up the blacklist entry with Spamhaus. They should also be able to help ensure that your configuration is right. Just be prepared to get through the level 1 support delays before you get any help though. That's been my experience.
Thanks, James
<snip sig stuff>
HTH
On Fri, Mar 13, 2009, William L. Maltby wrote:
On Fri, 2009-03-13 at 14:51 -0400, James Pifer wrote:
The masquerading options are for a different purpose. I'm glad you got it sorted out.
Although I'm able to send mail to most people without a problem using smarthost, I still have a few that bounce back with errors like: Your message was rejected by mail.lance.com for the following reason:
Service unavailable; Client host [cdptpa-omtalb.mail.rr.com] blocked by zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=70.62.90.185I'm using the smarthost server that I should be using according to the information: define(`SMART_HOST',`smtp-server.carolina.rr.com')dnl
Although I'm in a residential IP range, my connection is Business Class, so sending smtp mail is not restricted (at least contractually).
Why would I still have this problem if I'm using smarthost? Is there a way to resolve it?
I would contact the RR support folks. I think they are the ones that would need to clean up the blacklist entry with Spamhaus. They should also be able to help ensure that your configuration is right. Just be prepared to get through the level 1 support delays before you get any help though. That's been my experience.
Your IP address, 70.62.90.185 is in two DNSRBLs we check, dul.dnsbl.sorbs.net and zen.spamhaus.org. The sorbs listing is of dynamic IP addresses, and zen is a conglomeration of several of the spamhaus.net DNSRBLs.
Both of these DNSRBLs are widely used, thus it would be a good idea to either get a static IP from Road Runner that's not listed in either of these, or to use a smart-host for outgoing e-mail that will accept mail from your server regardless of the DNSRBL listings.
Bill
James Pifer wrote:
The masquerading options are for a different purpose. I'm glad you got it sorted out.
Although I'm able to send mail to most people without a problem using smarthost, I still have a few that bounce back with errors like: Your message was rejected by mail.lance.com for the following reason:
Service unavailable; Client host [cdptpa-omtalb.mail.rr.com] blocked by zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=70.62.90.185I'm using the smarthost server that I should be using according to the information: define(`SMART_HOST',`smtp-server.carolina.rr.com')dnl
Well, according to the headers on this message, your mail does indeed appear to be correctly routed through your smarthost - in this instance cdptpa-omtalb.mail.rr.com [75.180.132.122].
It looks to me like the server above is checking all hops against zen.spamhaus.org rather than just the last external connection - that's the only reason I can see for it detecting and rejecting your mail (assuming your smarthost was correctly used to send that mail).
I use zen.spamhaus.org on my server, so you're welcome to send a test message directly to me off list and see if it bounces or not (you will get greylisted first for 60 seconds)
Although I'm in a residential IP range, my connection is Business Class, so sending smtp mail is not restricted (at least contractually).
Regardless, as others have pointed out your IP address is still listed in pbl on zen.spamhaus.org so it's pretty futile trying to send mail directly.
Why would I still have this problem if I'm using smarthost? Is there a way to resolve it?
It shouldn't if everything is configured correctly. As I said above, to me it looks more like the receiving server is misconfigured. That might be intentional, who knows, but they will get FPs as a result from anyone like yourself who correctly relays mail through their ISP.
I use zen.spamhaus.org on my server, so you're welcome to send a test message directly to me off list and see if it bounces or not (you will get greylisted first for 60 seconds)
Sent a test message. Here's what's in maillog: Mar 14 11:00:28 mailserver sendmail[25108]: n2EF0LTt025094: to=ned@unixmail.co.uk, ctladdr=jep@obrien-pifer.com (503/503), delay=00:00:07, xdelay=00:00:03, mailer=relay, pri=120391, relay=smtp-server.carolina.rr.com. [75.180.132.33], dsn=2.0.0, stat=Sent (Message received: 20090314134107.MZQS7442.cdptpa-omta01.mail.rr.com@mailserver.obrien-pifer.com)
Been several minutes and no bounce. Guess that's a good thing.
It shouldn't if everything is configured correctly. As I said above, to me it looks more like the receiving server is misconfigured. That might be intentional, who knows, but they will get FPs as a result from anyone like yourself who correctly relays mail through their ISP.
That would stink, but appears to be the case.
Thanks, James
James Pifer wrote:
I've tried adding these lines to my sendmailmc and rebuilding it, but then nothing routes, not even local.
define(`SMART_HOST',`smtp-server.carolina.rr.com')dnl MASQUERADE_AS(carolina.rr.com)dnl FEATURE(`allmasquerade')dnl FEATURE(`masquerade_envelope')dnl
why are you using MASQUERADE_AS ?!?
you should be able to do this with just the SMART_HOST line.
on 12-9-2008 12:17 PM James Pifer spake the following:
I was looking at my maillog and it looks like someone is trying to get into my pop3 server.
Dec 9 15:28:54 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 Dec 9 15:29:08 mailserver dovecot: pop3-login: Aborted login: user=<alfonso>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 Dec 9 15:29:14 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 Dec 9 15:29:18 mailserver dovecot: pop3-login: Aborted login: user=<alfonso>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 Dec 9 15:29:36 mailserver dovecot: pop3-login: Aborted login: user=<alfred>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2
How worried should I bee about this? Any suggestions for dealing with it?
Thanks, James
You can run something like fail2ban and write a rule to catch this. That way a couple of failures gets the ip address dropped into a firewall rule.
2008/12/9 James Pifer jep@obrien-pifer.com:
I was looking at my maillog and it looks like someone is trying to get into my pop3 server.
Dec 9 15:28:54 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2
Do you really need pop3 exposed in the internet? You better open it only on localhost, and use a ssh channel to access it. Do not use ssh password authentication, but keys.
-
Agile Aspect -
Alexander Georgiev -
Bill Campbell -
Chris Boyd -
Frank Cox -
Glenn -
James Pifer -
Jeff -
John Hinton -
John R Pierce -
Kai Schaetzl -
Lanny Marcus -
Mark A. Lewis -
Matt -
MHR -
Michel van Deventer -
Ned Slider -
Scott Silva -
Spiro Harvey -
Steve Thompson -
Toby Bluhm -
William L. Maltby