[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re[2]: [filtered-ww] [vps-mail] Issue re sendmail/ abuse (attempted relay????)
- Subject: Re: Re[2]: [filtered-ww] [vps-mail] Issue re sendmail/ abuse (attempted relay????)
- From: Bruce Armstrong <bruce@xxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 22 Aug 2003 17:08:38 -0600
Sometime in the last month or two, tcpwrappers replaced scf on vps1
accounts. Can't really remember when this was.
As for a vnew command, there isn't one for tcpwrappers. Changes go into
effect the moment you save the file.
--Bruce
I don't remember when this happened
On Fri, 2003-08-22 at 15:23, Abigail Marshall wrote:
> BA> On VPS1, tcpwrappers can be used to block the connection without even
> BA> starting a sendmail process.
>
> BA> Add the following to your ~/etc/hosts.allow before the 'ALL : ALL :
> BA> allow' line:
> BA> smtp : 200.3.224.50 : deny
>
> Bruce, thanks so much for this info - but now I'm confused -
> does host.allow replace or supplant the scf.conf file? Also,
> does the addition to the host.allow file work automatically,
> or is it necessary to run a vnew... command of some sort?
>
> I noticed that my host.allow file has the following:
>
> ## BEGIN scf.conf converted rules ##
> smtp : 12.105.8.130 : deny
> smtp : 12.44.219.116 : deny
> smtp : 12.44.219.104 : deny
> smtp : 12.44.219.123 : deny
> all : 24.112.104.77 : deny
> all : 24.123.145.101 : deny
> all : 24.42.44.181 : deny
> ****
>
> Sure enough, these IPs are also contained in scf.conf.
>
> I recently tried to block httpd access to a particular host
> via the scf.conf file, and it didn't work - so if scf.conf
> is obsolete, I'll quit using it in favor of hosts.allow
>
>
> -Abigail
>
>
>
> BA> You will start seeing the following in your ~/var/log/messages:
> BA> <36>Aug 22 19:39:46 tcpwrap[6831]:refused connection from 200.3.244.50,
> BA> service smtp (tcp)
>
> BA> There are some other interesting possibilities with tcpwrappers, worth
> BA> checking out.
>
> BA> --Bruce
>
> BA> On Thu, 2003-08-21 at 17:43, Weldon Whipple wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >>
> >> On Thu, 21 Aug 2003, Abigail Marshall wrote:
> >>
> >> > Here's the problem - I noticed that my messages file had a
> >> > lot of entries like this:
> >> >
> >> > ><XX>Aug 21 15:00:17 sendmail[65008]: h7LL0HNA065008:
> >> > >[200.3.224.50] did not issue MAIL/EXPN/VRFY/ETRN during
> >> > >connection to stdin
> >> >
> >> > About 1270 entries, at the rate of about 3 or 4 per minute.
> >> > This is from 2:00 am last night - 13 hours - so basically
> >> > it's about 100 hits per hour.
> >> >
> >> > There is no reverse DNS for that IP, which appears to
> >> > originate from some ISP in Brazil.
> >> >
> >> > I added that IP to the Access file.
> >>
> >> I don't know if this will help on VPS1 (where it is iservd that makes the
> >> connection--rather than a daemonized sendmail as on VPS2). You could try
> >> prefixing the IP address with "Connect:", like so:
> >>
> >> Connect:200.3.224.50 REJECT
> >>
> >> (On VPS2, if I remember correctly, sendmail will cut off the connection as
> >> soon as it senses who it is that is trying to connect ...)
> >>
> >> Adding the Connect: prefix might not make any difference, but it might be
> >> worth a try.
> >>
> >> > Is there anything else I can do? I'm wondering how this sort
> >> > of stuff impacts overall server load and performance of
> >> > Sendmail.
> >>
> >> As long as he doesn't bring down your server (and as long as other
> >> legitimate mail can get through), it might just be a matter of waiting out
> >> the jerk until he gets bored ...
> >>
> >> Weldon
> >>
> >> - --
> >> Weldon Whipple <weldon@xxxxxxxxxxx>
> >> http://www.whipple.org
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v1.2.2 (FreeBSD)
> >>
> >> iQCVAwUBP0VZOd+005Ecx7aRAQFgTwP/XXTKBp5IPTvLgbJ/B4s4Wfg0U2VLhBa6
> >> ZjjQfwOjuqw7y9m0Jp00q0AE46L5mFG23CK5eQ0LFjjxW3A586aC9JKn8k8NFm45
> >> 7w0aev1wQHc9eZGb1qS93WIhwVvCFsnAbq5CCWJi6l87MJ3+jQhU9YTH5YoG0Z1I
> >> FCk1E40pVzk=
> >> =MAfk
> >> -----END PGP SIGNATURE-----
> >> ======================================================================
> >> Technical questions regarding this list may be sent to
> >> <vps-mail-owner@xxxxxxxxxxxx>. You may request an automated help
> >> response by sending an email with the word 'help' (w/o quotes) in the
> >> BODY of the message (subject is ignored) to <vps-mail-request@xxxxxxxxxxxx>.
> >> ======================================================================
> >>
>
> BA> ======================================================================
> BA> Technical questions regarding this list may be sent to
> BA> <vps-mail-owner@xxxxxxxxxxxx>. You may request an automated help
> BA> response by sending an email with the word 'help' (w/o quotes) in the
> BA> BODY of the message (subject is ignored) to <vps-mail-request@xxxxxxxxxxxx>.
> BA> ======================================================================
>
> ======================================================================
> Technical questions regarding this list may be sent to
> <vps-mail-owner@xxxxxxxxxxxx>. You may request an automated help
> response by sending an email with the word 'help' (w/o quotes) in the
> BODY of the message (subject is ignored) to <vps-mail-request@xxxxxxxxxxxx>.
> ======================================================================
>
======================================================================
Technical questions regarding this list may be sent to
<vps-mail-owner@xxxxxxxxxxxx>. You may request an automated help
response by sending an email with the word 'help' (w/o quotes) in the
BODY of the message (subject is ignored) to <vps-mail-request@xxxxxxxxxxxx>.
======================================================================
Main Index |
Thread Index