[QMAIL] Recipient Verification to avoid spamming

[MRatWork]

Imagine someone have many servers in cluster. One server as frontend (like cdn/google do), some server as database server, someserver as web server, some servers as mail server and so on and so on.

So, in the feature, Kloxo-MR (or the successor) can handle efficiently.

[Kloxo-DR]

Hi Mustafa,

Imagine someone have many servers in cluster. One server ..., some server ..., some server as xxx, some servers as yyy and so on and so on.

Imagine means to dream. Yes. I can dream of this. Currently, I, and the entire tiny community of Kloxo-MR, would be soooo must happy, if we must be able to sleep. If we can sleep, only then we can dream...

I cannot sleep because my server was hacked. So, my very sincere and honest suggestioon is to first have all the features stable and enhance the existing features dramatically.

Now just the fundamental things does not work and its development has remained to minimum. Ofcourse you have done the most excelent job. No doubt about it. But the development should remain within kloxo-mr targetting on drastic enhancement of existing features.

Look at backups and restore. This area is not good from the view point of its state of stagnant adter its development.

So, Mustafa I really hope that you bring kloxo-mr to a very decent and mature development. It would be really sad to have it's progress slowed down.

[zenkul]

I agree with the strategic issues raised Kloxo-DR. It's time to do a middle ground that stabilization measures, including security issues. I think developing for this stabilization is very important.

No problem, for example there are other web panels that have compatible with Apache 2.4 ... as the day is long .. and it's time for rest. I think

[chrisf]

I agree with keeping updated and newest versions of software.

We should always do what will keep our servers safe, security first, bells and whistles second.

Updating spamdyke,  Apache, qmail-toaster, etc... these are important issues, and need to be addressed.

[MRatWork]

Qmail-toaster in Kloxo-MR (taken from qmailtoaster) already include patch for chkuser.

[MRatWork]

Hi, qmail-toaster in Kloxo-MR not use tcp.smtp but supervise.

netqmail is different way compare to qmail-toaster. So, for chkuser must set inside run file.

[Kloxo-DR]

Hi Mustafa,

Hi, qmail-toaster in Kloxo-MR not use tcp.smtp but supervise.

netqmail is different way compare to qmail-toaster. So, for chkuser must set inside run file.

Should I write a cronjob to constantly reinstall and overwrite your run files with better run files to prevent spam attacks? Should everyone do that? Is the solution to overwrite your run files to prevent spam attacks and illegal email content logging a very special wish of mine?

I suggest to make a feature request to create a web interface for configuring Qmailtoaster and spamdyke. Both are just inevitable functions, as inevitable as apache and mysql, and, thus, require much better possibility for administrators for configuration.

[MRatWork]

Investigate /etc/tcprules.d/tcp.smtp because smtp read this content.

[MRatWork]

Good bye.

[vpsbox]

choose spamassaing form menu, than install razor2, pyzor, dcc (think dcc was instaled just need to update it)  (just lik it is shown  in this thread step 8 http://technotes.trostfamily.org/?p=184


ad rbl to qmail block list - manualy in config file /var/qmail/control/ blaclists ( -r xen.spamhaus.org is includet put others on new line include b.batacudacen... from the blog post i mentioned)

regeneratethe .cdb files with

qmailctl cdb

and you are ready 85 -90% of will gone


btw - to my opinion kloxo is very close good usable standart - and is the pannel with fastest options... only lack documentation...

[chrisf]

I want to say something about this discussion.  I am by skill a programmer.  I have recently spent time in Linux server admin class and my business partner is by skill, server admin.  We have tried to reproduce your bounce relay spam attack, and have been unable.  I am NOT saying it didn't happen, just that I can not reproduce.

Next, recipient blocking prior to qmail handling is not an option for me.  We have clients that have catchall set to postmaster, so they can have unlimited aliases without setting anything up.  Therefore, if example@domain.com doesn't exist,  what you propose by blocking at spamdyke level, client doesn't get mail even if catchall is set to a valid email.

On my tests, qmail properly deleted all mail sent to a known domain, unknown recipient.  We bombarded server4 with a literal mail syn flood, and although CSF shut down the flood, qmail bounced no messages.  Also, on all connections, log shows spamdyke operational.  Why was yours only on first connection?

Is it most efficient way, to process mail, then delete... no.  However, as I stated, it is not an option for me to block unknown recipient at spamdyke level.

[Kloxo-DR]

Hello Chris,

We have tried to reproduce your bounce relay spam attack, and have been unable.  I am NOT saying it didn't happen, just that I can not reproduce.

There seem to be anathor victimized server in the other thread:
http://forum.mratwork.com/kloxo-mr-technical-helps/how-to-uninstall-qmail-toaster/

@hoangsang
The spammer have found your server, if my assumtion is correct. In that case, your server is being used to send emails to innocent victims. Then, you cannot use Kloxo-MR anymore. You must compile the Qmailtoaster with CHKUSER or stop using Kloxo-MR. Thats what Mustafa said to me!!!

Yes, CPU always load 100% because processing qmail-remote

When the spammer uses a special technique, then CPU gets overloaded that normal. In the TOP monitor you see many process active by the user qmaild. The CPU always load 100% because processing qmail-remote.

THIS IS WHAT HAPPENED ON MY SERVER, when the catchall was activated and setup to delete all emails to non-existent users!

Kloxo-MR is vulnerable to spamming because a spammer is able to make connections throuch CHKUSER and sidetrack the catchall and all other spamdyke protections. Thereafter, Kloxo-MR becomes a spamming server and can send emails to innocent victims.

For the spammer, it is the best that the Admin of Kloxo-MR does not even know if his server has converted into a spamming server and all email "as undelivered emails" gets relayed from the victimized server.

Chris, could you reproduce the above characteristics of blasting CPU and invoking the qmail-remote in your series of testing based on your extraordinary expertise? You and your partner, both are an inexperienced spammers and the testing you both conducted are useless!

[MRatWork]

@Kloxo-DR,

if your qmail setting is correct, impossible your server as 'smtp relay' from outside. Like I said before, qmail-toaster in Kloxo-MR already have chkuser-patch.

Rule for relay is inside /etc/tcp.rules.d/tcp.smtp. This read my stmp-run.

[Kloxo-DR]

Hi Mustafa,

if your qmail setting is correct, impossible your server as 'smtp relay' from outside.

There is no smtp-relay from outside in this case. The emails are sent from inside because those email addresses did not exist on the server. They are sent to innocent victims mentioned in "Recipient Path".

[MRatWork]

One possibility, one or more domain inside your server send a spam. Remember, it's possible php send email via SMTP with 'unknown' identity (aka domain) but qmail-toaster permit because from inside (aka localhost). You can try modified tcp.smtp:

from:

Code: [Select]

127.:allow,RELAYCLIENT="",DKSIGN="/var/qmail/control/domainkeys/%/private"
:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",DKSIGN="/var/qmail/control/domainkeys/%/private"

to:

Code: [Select]

127.:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",DKSIGN="/var/qmail/control/domainkeys/%/private"
:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",DKSIGN="/var/qmail/control/domainkeys/%/private"

With this trick, qmail will process all smtp (inside or outside) with the same rule.