[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[2]: [filtered-ww] [vps-mail] Issue re sendmail/ abuse (attempted relay????)

Subject: Re[2]: [filtered-ww] [vps-mail] Issue re sendmail/ abuse (attempted relay????)
From: Abigail Marshall <webmaster@xxxxxxxxxxxx>
Date: Fri, 22 Aug 2003 14:23:52 -0700

BA> On VPS1, tcpwrappers can be used to block the connection without even
BA> starting a sendmail process.

BA> Add the following to your ~/etc/hosts.allow before the 'ALL : ALL :
BA> allow' line:
BA> smtp : 200.3.224.50 : deny

Bruce, thanks so much for this info - but now I'm confused -
does host.allow replace or supplant the scf.conf file? Also,
does the addition to the host.allow file work automatically,
or is it necessary to run a vnew... command of some sort?

I noticed that my host.allow file has the following:

## BEGIN scf.conf converted rules ##
smtp : 12.105.8.130 : deny
smtp : 12.44.219.116 : deny
smtp : 12.44.219.104 : deny
smtp : 12.44.219.123 : deny
all : 24.112.104.77 : deny
all : 24.123.145.101 : deny
all : 24.42.44.181 : deny
****

Sure enough, these IPs are also contained in scf.conf.

I recently tried to block httpd access to a particular host
via the scf.conf file,  and it didn't work - so if scf.conf
is obsolete, I'll quit using it in favor of hosts.allow

-Abigail

BA> You will start seeing the following in your ~/var/log/messages:
BA> <36>Aug 22 19:39:46 tcpwrap[6831]:refused connection from 200.3.244.50,
BA> service smtp (tcp)

BA> There are some other interesting possibilities with tcpwrappers, worth
BA> checking out.

BA>         --Bruce

BA> On Thu, 2003-08-21 at 17:43, Weldon Whipple wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> 
>> On Thu, 21 Aug 2003, Abigail Marshall wrote:
>> 
>> > Here's the problem - I noticed that my messages file had a
>> > lot of entries like this:
>> >
>> > ><XX>Aug 21 15:00:17 sendmail[65008]: h7LL0HNA065008:
>> > >[200.3.224.50] did not issue MAIL/EXPN/VRFY/ETRN during
>> > >connection to stdin
>> >
>> > About 1270 entries, at the rate of about 3 or 4 per minute.
>> > This is from 2:00 am last night - 13 hours - so basically
>> > it's about 100 hits per hour.
>> >
>> > There is no reverse DNS for that IP, which appears to
>> > originate from some ISP in Brazil.
>> >
>> > I added that IP to the Access file.
>> 
>> I don't know if this will help on VPS1 (where it is iservd that makes the
>> connection--rather than a daemonized sendmail as on VPS2). You could try
>> prefixing the IP address with "Connect:", like so:
>> 
>> Connect:200.3.224.50  REJECT
>> 
>> (On VPS2, if I remember correctly, sendmail will cut off the connection as
>> soon as it senses who it is that is trying to connect ...)
>> 
>> Adding the Connect: prefix might not make any difference, but it might be
>> worth a try.
>> 
>> > Is there anything else I can do? I'm wondering how this sort
>> > of stuff impacts overall server load and performance of
>> > Sendmail.
>> 
>> As long as he doesn't bring down your server (and as long as other
>> legitimate mail can get through), it might just be a matter of waiting out
>> the jerk until he gets bored ...
>> 
>> Weldon
>> 
>> - -- 
>> Weldon Whipple <weldon@xxxxxxxxxxx>
>> http://www.whipple.org
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.2.2 (FreeBSD)
>> 
>> iQCVAwUBP0VZOd+005Ecx7aRAQFgTwP/XXTKBp5IPTvLgbJ/B4s4Wfg0U2VLhBa6
>> ZjjQfwOjuqw7y9m0Jp00q0AE46L5mFG23CK5eQ0LFjjxW3A586aC9JKn8k8NFm45
>> 7w0aev1wQHc9eZGb1qS93WIhwVvCFsnAbq5CCWJi6l87MJ3+jQhU9YTH5YoG0Z1I
>> FCk1E40pVzk=
>> =MAfk
>> -----END PGP SIGNATURE-----
>> ======================================================================
>> Technical questions regarding this list may be sent to
>> <vps-mail-owner@xxxxxxxxxxxx>. You may request an automated help
>> response by sending an email with the word 'help' (w/o quotes) in the
>> BODY of the message (subject is ignored) to <vps-mail-request@xxxxxxxxxxxx>.
>> ======================================================================
>> 

BA> ======================================================================
BA> Technical questions regarding this list may be sent to
BA> <vps-mail-owner@xxxxxxxxxxxx>. You may request an automated help
BA> response by sending an email with the word 'help' (w/o quotes) in the
BA> BODY of the message (subject is ignored) to <vps-mail-request@xxxxxxxxxxxx>.
BA> ======================================================================

======================================================================
Technical questions regarding this list may be sent to
<vps-mail-owner@xxxxxxxxxxxx>. You may request an automated help
response by sending an email with the word 'help' (w/o quotes) in the
BODY of the message (subject is ignored) to <vps-mail-request@xxxxxxxxxxxx>.
======================================================================

Follow-Ups:
- Re: Re[2]: [filtered-ww] [vps-mail] Issue re sendmail/ abuse (attempted relay????)
  - From: Bruce Armstrong

References:
- [vps-mail] Issue re sendmail/ abuse (attempted relay????)
  - From: Abigail Marshall
- Re: [filtered-ww] [vps-mail] Issue re sendmail/ abuse (attempted relay????)
  - From: Weldon Whipple
- Re: [filtered-ww] [vps-mail] Issue re sendmail/ abuse (attempted relay????)
  - From: Bruce Armstrong

Prev by Date: Re: [filtered-ww] [vps-mail] Issue re sendmail/ abuse (attempted relay????)
Next by Date: Re: Re[2]: [filtered-ww] [vps-mail] Issue re sendmail/ abuse (attempted relay????)
Previous by thread: Re: [filtered-ww] [vps-mail] Issue re sendmail/ abuse (attempted relay????)
Next by thread: Re: Re[2]: [filtered-ww] [vps-mail] Issue re sendmail/ abuse (attempted relay????)
Index(es):
- Date
- Thread

Main Index | Thread Index