MRatWork Forum by Mustafa Ramadhan
Sawo Project - Kloxo-MR Discussions => Kloxo-MR Development => Topic started by: Kloxo-DR on 2014-02-19, 20:59:52
-
Hello Mustafa,
I suggest to modify and include "Recipient Verification" for incoming messages.
Recently, we received thousands of emails with bogus_recipients@domain.com. As domain.com is in the rcphosts file, all non-existent emails randomly generated got delivered with bogus Return-Path. They were relayed to hotmail, yahoo or google.
To prevnt this, the best is to use SPAMCONTROL:
http://www.fehcom.de/qmail/spamcontrol.html
If this is difficult, then atleast RCPTCHECK :
http://www.soffian.org/downloads/qmail/qmail-smtpd-doc.html
Or here:
http://www.memoryhole.net/qmail/
-
We have spamdyke for this...
-
Hello,
We have spamdyke for this...
We both are using kloxo and spamdyke from its begining!
Knowing that we have spamdyke and having configured spamdyke, I have placed the above message as spamdyke has failed.
Investigating the issue, I found that a combination od spamdyke and qmail has a fundamental flaw, which is well known to experts. For many years I thought that. Not anymore, looking at the new spammiing techniques used by spammers in the last weeks on my server. So let me explain you and Mustafa why I have placed this:
When an incoming connection is made from sender/spammer to the server, spamdyke will only check certain parameters of that connection.
One of them is rcphost.
Spamdyke fails to check is if an email address exists in the system at all. This means that if a domain exists in rcphost but not the email address, then spamdyke allows that connection.
Qmail does not check AT THE TIME OF AN INCOMING CONNECTIONif an email address exists. It will first accept an email for processing. That email is delivered in the first place.
Only thereafter Qmail wakes up and finds that the email could not be delivered because the recipients email address does not exists on the server.
Thereafter Qmail sends undelivered to the email address available in the Return-Path.
This is well known and used extensively by spammers.
Spammers use this flaw of Qmail to forge Return-Path != to sender's email address.
As a consequence, the undelivered goes to someone who did not send that email.
With this technique, my server became a spamming server. I needed to use firewall to block IP Address of the spammer.
Until I found above mentioned links, I did not really follow what was happening. Since the undelivered is never registered, an Administrator also never notices this abuse of a sever. Now I have read details of the flaw and respective solutions, I this it is neccesary to use more protection against this flaw of qmail.
Spacedust, let me know if I could change something in spamdyke to achieve the solution, if you think I missed something.
-
Under domain, mail settings, catchall configure, set to delete, not bounce.
Also, this is another option like cron that we should have to set for clients. Hostgator and godaddy both restrict setting catchall for this reason. Mustafa, by default it is set to delete, which is good. Can you add admin restrictions to catchall configure like cron. Client can see, but not update. Admin only can change.
OR remove the bounce option altogether.
-
Hi Chris,
Under domain, mail settings, catchall configure, set to delete, not bounce.
I always had catch-all setup to delete. None of the affected - or any other - accounts has bounce or any other mapping.
Until I used official Kloxo, I had absolutely no problems with catch-all. I ran into problems of the nature described above, only after I switched to Kloxo-MR.
Kloxo-MR did not delete those emails to non-existent email addresses to a domain existing in rcphosts file.
-
I believe you, and have not tested. Maybe the catchall feature is not operating correctly since changing to qmail-toaster. @spacedust, please investigate this issue on your servers. Mustafa, can you confirm catchall delete not working?
Please post the steps neccessary to make SPAMCONTROL work with KloxoMR.
-
Command for deliver mail inside '/home/lxadmin/mail/domains/<domain>/.qmail-default'.
1. Without catchall will be '| /home/vpopmail/bin/vdelivermail '' delete'
2. With catchall will be '| /home/vpopmail/bin/vdelivermail '' /home/lxadmin/mail/domains/<domain>/admin'
-
I can't reproduce the bounce. I just tested multiple email accounts that didn't exist, but domain did. They were all deleted, no bounce.
I do suggest removing bounce option for clients.
-
Hi Chris,
I just tested multiple email accounts that didn't exist, but domain did. They were all deleted, no bounce.
Now if Qmailtoaster checks - in addition to the available delete function - if the recipient exists much earlier, even before an email is delivered, then any requirement of ( catchall ==delete ) function is not necessary. This also means:
if ( config-catch-all == "activated" ) then
....... $check_config_of_catchall == "delete" || $check_config_of_catchall == "bounce"
else
...... §check_recipient_exists // by SPAMCONTROL or other less vigourous plugins
end
So, if $check_config_of_catchall is delete or bounce, only then email is accepted by the server.
Can you endorse if the programming logic to be correct, that catchall=delete should be there and remain, even if it worked for you? Is that what you are saying?
I find catchall=delete childish, and beyond that, and find it silly and stupid function. I cannot endorse.
-
How to block something like this - interia.pl it's not our domain so it's spoofed:
--------------
MESSAGE NUMBER 404055
--------------
Received: (qmail 25602 invoked by uid 7848); 20 Feb 2014 14:00:49 -0000
Message-ID: <20140220140049.25601.qmail@mail.xxx.pl>
To: abka@polbox.com
Subject: =?UTF-8?Q?Free=20Suplements?=
Date: Thu, 20 Feb 2014 15:00:49 +0100
From: =?UTF-8?Q?Dieta?= <KGregorK@interia.pl>
Sender: =?UTF-8?Q?Dieta?= <KGregorK@interia.pl>
Reply-To: =?UTF-8?Q?Dieta?= <KGregorK@interia.pl>
MIME-Version: 1.0
Content-Type: text/html;
charset="UTF-8"
Content-Transfer-Encoding: =?UTF-8?Q?8bit?=
<p><a
href="http://track.acaiberry900.pl/product/AcaiBerry-900/?pid=129&uid=2061"
rel="nofollow">Czy wiesz, jak ?atwo mo?na schudnac</a></p>
<p><a
href="http://track.probolan50.pl/product/Probolan-50/?pid=116&uid=2061"
rel="nofollow">Czy ju? znasz najlepszy i najta?szy
sposób na nabranie masy</a></p>
<p><a
href="http://track.probolan50.pl/product/Probolan-50/?uid=2061&pid=116&bid=677"
rel="nofollow" title="jak szybko przytyc na wadze" ><img
src="http://track.probolan50.pl/banner/?uid=2061&pid=116&bid=677"
alt="jak szybko przytyc na wadze" /></a></p>
<p><a
href="http://track.metadrol.pl/product/Metadrol/?uid=2061&pid=120&bid=665"
rel="nofollow" title=" najlepsza odzywka na porost miesni
bez cwiczen" ><img
src="http://track.metadrol.pl/banner/?uid=2061&pid=120&bid=665"
alt=" najlepsza odzywka na porost miesni bez cwiczen"
/></a></p>
<br/><img width="1px" height="1px"
src="http://odel.pl/Admailer4/lkwiab_1.ejpg" />
-
Hi Mustafa,
You have complied qmail-toaster with deactivated parameters. So most of the options in CHKUSER of 2.0.9 -DOES-NOT-WORK- IN THE CURRENT KLOXOMR 6.5.0f.
I suggest that you recompile the toaster and make an update of kloxomr.
Further, please also update spamdyke from 4.3.1 to 5.0.0.
The latest version of spamdyke includes exactly the feature to reject non-existing recipients. I made the update and got spamdyke 5 working. However all emails to non-existing recipients are accepted because the chkuser parameters are not properly compiled.
The modification or activation of chkuser + spamdyke 5 is a must. Until then, all kloxomr servers are vulnerable to such attacks.
-
I will investigate more about it after my internet connection back to normal speed (now only have 20 kbps) and repairing corrupt local git files (I must rebase local git with 3 x 6GB size)!.
-
Hi Mustafa,
Uh, I am sorry to hear about troubles. I have experienced similar problems when I could not get 3G and needed to work with 2G. Thats terrible....
I suggest to have following parameters in /var/qmail/doc/chkuser_settings.h to be turned on before compiling the toaster:
CHKUSER_ALWAYS_ON,
CHKUSER_VPOPMAIL,
CHKUSER_DOMAIN_WANTED,
CHKUSER_ENABLE_USERS,
CHKUSER_ENABLE_LOGGING,
CHKUSER_LOG_VALID_RCPT,
CHKUSER_LOG_VALID_SENDER,CHKUSER_RCPT_DELAY_ANYERROR,
CHKUSER_ERROR_DELAY_INCREASE,
CHKUSER_RCPTLIMIT="5",
CHKUSER_WRONGRCPTLIMIT="5"
In spamdyke v 5.0, above options does not work as the current qmail-toaster compiled by you did not have certain parameters turned on. Most importantly, if you could habe most parameters setup default so that administrators must not have to compile again.
It would also be worth to have mysql support in spamdyke:
http://www.huschi.net/5_348_de-plesk-qmail-spamdyke-mit-mysql-logging.html
(needs translation from german to english)
-
Thanks,
I don't want mysql enable in spamdyke. It's because I think better Kloxo-MR using sqlite instead mysql for their database.
If I can convert vpopmail database to cdb format (instead mysql), possible Kloxo-MR will be using sqlite instead mysql for their database.
Imagine you want Kloxo-MR as DNS only, with 6.5.1 possible you not using mail, web and spam server (except dns) with select 'none' for web/mail/spam server. With this trick possible running Kloxo-MR in 64MB RAM.
-
Hi Mustafa,
I downloaded the src of toaster and found:
qmail-1.03 patched to netqmail-1.05
The latest is netqmail-1.06:
http://qmail.cybermirror.org/top.html
http://www.qmail.org/netqmail/
I suggest that you go through all important areas of the patches and make a very nice update of the toaster.
-
Imagine someone have many servers in cluster. One server as frontend (like cdn/google do), some server as database server, someserver as web server, some servers as mail server and so on and so on.
So, in the feature, Kloxo-MR (or the successor) can handle efficiently.
-
Hi Mustafa,
Imagine someone have many servers in cluster. One server ..., some server ..., some server as xxx, some servers as yyy and so on and so on.
Imagine means to dream. Yes. I can dream of this. Currently, I, and the entire tiny community of Kloxo-MR, would be soooo must happy, if we must be able to sleep. If we can sleep, only then we can dream...
I cannot sleep because my server was hacked. So, my very sincere and honest suggestioon is to first have all the features stable and enhance the existing features dramatically.
Now just the fundamental things does not work and its development has remained to minimum. Ofcourse you have done the most excelent job. No doubt about it. But the development should remain within kloxo-mr targetting on drastic enhancement of existing features.
Look at backups and restore. This area is not good from the view point of its state of stagnant adter its development.
So, Mustafa I really hope that you bring kloxo-mr to a very decent and mature development. It would be really sad to have it's progress slowed down.
-
I agree with the strategic issues raised Kloxo-DR. It's time to do a middle ground that stabilization measures, including security issues. I think developing for this stabilization is very important.
No problem, for example there are other web panels that have compatible with Apache 2.4 ... as the day is long .. and it's time for rest. I think
-
I agree with keeping updated and newest versions of software.
We should always do what will keep our servers safe, security first, bells and whistles second.
Updating spamdyke, Apache, qmail-toaster, etc... these are important issues, and need to be addressed.
-
Qmail-toaster in Kloxo-MR (taken from qmailtoaster) already include patch for chkuser.
-
Hi, qmail-toaster in Kloxo-MR not use tcp.smtp but supervise.
netqmail is different way compare to qmail-toaster. So, for chkuser must set inside run file.
-
Hi Mustafa,
Hi, qmail-toaster in Kloxo-MR not use tcp.smtp but supervise.
netqmail is different way compare to qmail-toaster. So, for chkuser must set inside run file.
Should I write a cronjob to constantly reinstall and overwrite your run files with better run files to prevent spam attacks? Should everyone do that? Is the solution to overwrite your run files to prevent spam attacks and illegal email content logging a very special wish of mine?
I suggest to make a feature request to create a web interface for configuring Qmailtoaster and spamdyke. Both are just inevitable functions, as inevitable as apache and mysql, and, thus, require much better possibility for administrators for configuration.
-
Investigate /etc/tcprules.d/tcp.smtp because smtp read this content.
-
Good bye.
-
choose spamassaing form menu, than install razor2, pyzor, dcc (think dcc was instaled just need to update it) (just lik it is shown in this thread step 8 http://technotes.trostfamily.org/?p=184
ad rbl to qmail block list - manualy in config file /var/qmail/control/ blaclists ( -r xen.spamhaus.org is includet put others on new line include b.batacudacen... from the blog post i mentioned)
regeneratethe .cdb files with
qmailctl cdb
and you are ready 85 -90% of will gone
btw - to my opinion kloxo is very close good usable standart - and is the pannel with fastest options... only lack documentation...
-
I want to say something about this discussion. I am by skill a programmer. I have recently spent time in Linux server admin class and my business partner is by skill, server admin. We have tried to reproduce your bounce relay spam attack, and have been unable. I am NOT saying it didn't happen, just that I can not reproduce.
Next, recipient blocking prior to qmail handling is not an option for me. We have clients that have catchall set to postmaster, so they can have unlimited aliases without setting anything up. Therefore, if example@domain.com doesn't exist, what you propose by blocking at spamdyke level, client doesn't get mail even if catchall is set to a valid email.
On my tests, qmail properly deleted all mail sent to a known domain, unknown recipient. We bombarded server4 with a literal mail syn flood, and although CSF shut down the flood, qmail bounced no messages. Also, on all connections, log shows spamdyke operational. Why was yours only on first connection?
Is it most efficient way, to process mail, then delete... no. However, as I stated, it is not an option for me to block unknown recipient at spamdyke level.
-
Hello Chris,
We have tried to reproduce your bounce relay spam attack, and have been unable. I am NOT saying it didn't happen, just that I can not reproduce.
There seem to be anathor victimized server in the other thread:
http://forum.mratwork.com/kloxo-mr-technical-helps/how-to-uninstall-qmail-toaster/ (http://forum.mratwork.com/kloxo-mr-technical-helps/how-to-uninstall-qmail-toaster/)
@hoangsang
The spammer have found your server, if my assumtion is correct. In that case, your server is being used to send emails to innocent victims. Then, you cannot use Kloxo-MR anymore. You must compile the Qmailtoaster with CHKUSER or stop using Kloxo-MR. Thats what Mustafa said to me!!!
Yes, CPU always load 100% because processing qmail-remote
When the spammer uses a special technique, then CPU gets overloaded that normal. In the TOP monitor you see many process active by the user qmaild. The CPU always load 100% because processing qmail-remote.
THIS IS WHAT HAPPENED ON MY SERVER, when the catchall was activated and setup to delete all emails to non-existent users!
Kloxo-MR is vulnerable to spamming because a spammer is able to make connections throuch CHKUSER and sidetrack the catchall and all other spamdyke protections. Thereafter, Kloxo-MR becomes a spamming server and can send emails to innocent victims.
For the spammer, it is the best that the Admin of Kloxo-MR does not even know if his server has converted into a spamming server and all email "as undelivered emails" gets relayed from the victimized server.
Chris, could you reproduce the above characteristics of blasting CPU and invoking the qmail-remote in your series of testing based on your extraordinary expertise? You and your partner, both are an inexperienced spammers and the testing you both conducted are useless!
-
@Kloxo-DR,
if your qmail setting is correct, impossible your server as 'smtp relay' from outside. Like I said before, qmail-toaster in Kloxo-MR already have chkuser-patch.
Rule for relay is inside /etc/tcp.rules.d/tcp.smtp. This read my stmp-run.
-
Hi Mustafa,
if your qmail setting is correct, impossible your server as 'smtp relay' from outside.
There is no smtp-relay from outside in this case. The emails are sent from inside because those email addresses did not exist on the server. They are sent to innocent victims mentioned in "Recipient Path".
-
One possibility, one or more domain inside your server send a spam. Remember, it's possible php send email via SMTP with 'unknown' identity (aka domain) but qmail-toaster permit because from inside (aka localhost). You can try modified tcp.smtp:
from:
127.:allow,RELAYCLIENT="",DKSIGN="/var/qmail/control/domainkeys/%/private"
:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",DKSIGN="/var/qmail/control/domainkeys/%/private"
to:
127.:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",DKSIGN="/var/qmail/control/domainkeys/%/private"
:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",DKSIGN="/var/qmail/control/domainkeys/%/private"
With this trick, qmail will process all smtp (inside or outside) with the same rule.
-
Read http://wiki.qmailtoaster.com/index.php/Tcp.smtp
-
Hellio Mustafa,
I found that I need to recompile the CHKUSER binary and have /var/qmail/doc/chkuser_settings.h to be turned on before compiling the toaster. If these settings were not turned on before compiling, then they remains deactivated.
This is the problem. Currently these parameters are deactivated.
-
Before you talking again, read http://wiki.qmailtoaster.com/index.php/Patches_included_with_QmailToaster.
Qmail-toaster already as the same as netqmail 1.0.5 because implementing the same patch.
-
In latest qmail-toaster, by default, spamdyke/rblsmtpd/softlimit is inactive. Create their files with content as description in run file.
-
Hi Mustafa,
I have an attack before the update and after the update. So the problem remained when softlimit was in there before, and I doubt that this could be the cause.
The problem I face is that the spammer found a weak point in combination of Qmailtoaster + Spamdyke. Now we have spamdyke 5.0.0 and correct integration of vpopmail, the checking of valid recipient muss be able to stop emails coming to non-existent recipients.
-
Please PM me the maillog during this bounce/spam problem. I can't understand how a denial of service is possible from an external source with CSF watching the port.
Could this be a client on the box?
I would suggest enabling recordio so we can get a snapshot of these emails with headers. I have not been able to DOS spamdyke.
-
Hi Chris,
The problem lies in Qmailtoaster configuration that an administrator should do somewhere, and most likely and goes beyond, I suspect.
Earlier, the Qmailtoaster was wrongly configured, which Mustafa did not believe. You found that out. Because of this, I could not come close to certain trouble-shooting areas. Now this possibility is ruled out
Most likely it is no longer a problem in compilation or wrongly configured Qmailtoaster during compilation.
-
Copy and paste your maillog, where an incoming transaction occurs then it is bounced back.
Set spamdyke log-level to debug and enable recordio in qmailtoaster. I am not wasting anymore time. I want to see the logs after you do both, and spammer again attacks.
We are guessing. I can not reproduce ANY of your problems. You can send whatever mail you like to 'cc-server.us' watch what happens.
-
Hi Chris,
Everything is described in this thread sufficiently. I am not going to describe them with different dates.
If there are problems, then they should remain and I should find my way with that.