Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[QMAIL] Infectés de spams, messages in queue
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index French
View previous topic :: View next topic  
Author Message
sanddy
n00b
n00b


Joined: 26 Mar 2008
Posts: 3

PostPosted: Wed Mar 26, 2008 8:34 am    Post subject: [QMAIL] Infectés de spams, messages in queue Reply with quote

Bonjour,

Depuis que nous avons essayé de mettre à jour notre version, nous sommes infectés de spams...

Tous les e-mails de notre serveur dédié gentoo release 2 d'ovh sont encore bloqués ! :(

Code:

 # /var/qmail/bin/qmail-qstat
messages in queue: 276
messages in queue but not yet preprocessed: 203



Plusieurs fichiers continuent à se remplir sans arrêt ! :(

Code:

 # du -s /var/spool/qscan/*| sort -rn
481440  /var/spool/qscan/qmail-queue.log
12188   /var/spool/qscan/quarantine


Les derniers logs de qmail-queue :
Code:

Wed, 26 Mar 2008 09:10:59 CET:28357: +++ starting debugging for process 28357 (p                                                                             pid=28446) by uid=508
Wed, 26 Mar 2008 09:10:59 CET:20190: SA: yup, this smells like SPAM - hits=25.3/                                                                             5.0/5.1 - message deleted ...
Wed, 26 Mar 2008 09:10:59 CET:20190: SA: finished scan in 3.359068 secs - hits=2                                                                             5.3/5.0
Wed, 26 Mar 2008 09:10:59 CET:20190: ini_sc: finished scan of "/var/spool/qscan/                                                                             tmp/ns26252.ovh.net120651905576720190"...
Wed, 26 Mar 2008 09:10:59 CET:20190: ------ Process 20190 finished. Total of 3.3                                                                             75677 secs
Wed, 26 Mar 2008 09:11:00 CET:26769: +++ starting debugging for process 26769 (ppid=16408) by uid=508
Wed, 26 Mar 2008 09:11:00 CET:3718: +++ starting debugging for process 3718 (ppid=31757) by uid=508
Wed, 26 Mar 2008 09:11:00 CET:23902: +++ starting debugging for process 23902 (ppid=3598) by uid=508
Wed, 26 Mar 2008 09:11:00 CET:28357: w_c: Total time between DATA command and "." was 6.5e-05 secs
Wed, 26 Mar 2008 09:11:00 CET:28357: w_c: elapsed time from start 7.4e-05 secs
Wed, 26 Mar 2008 09:11:00 CET:28357: g_e_h: return-path='smjyjrven@yahoo.com', recips='vio-777@yahoo.com.tw,jwphd2088@yahoo.com.tw,nike8323912@yahoo.com.tw,sophie_liu_0702@yahoo.com.tw,ing0521@yahoo.com.tw,jacobliu44@yahoo.com.tw,cyeekenny@yahoo.com.tw,janesd4813@yahoo.com.tw,good_0108@yahoo.com.tw'
Wed, 26 Mar 2008 09:11:00 CET:28357: from='"hans chris" <smjyjrven@yahoo.com>', subj='¦n±d¬Û³ø¡A½ÐªY½à¤@¤U!', via SMTP from 116.7.21.38
Wed, 26 Mar 2008 09:11:00 CET:28357: clamdscan: finished scan in 0.004448 secs
Wed, 26 Mar 2008 09:11:00 CET:26769: w_c: Total time between DATA command and "." was 6e-05 secs
Wed, 26 Mar 2008 09:11:00 CET:26769: w_c: elapsed time from start 7.5e-05 secs
Wed, 26 Mar 2008 09:11:00 CET:26769: g_e_h: return-path='®l¤é¶§¥úªºd.@gmail.com', recips='pcmlam@yahoo.com.tw,cucei@yahoo.com.tw,vland@yahoo.com.tw,iiself@ms95.url.com.tw'
Wed, 26 Mar 2008 09:11:00 CET:26769: from='"¶¾µa¤¤" <®L¤é¶§¥úªºD.@gmail.com>', subj='¡¹³Ì·s¹CÀ¸¡D¹qµø¹CÀ¸¡DPSPµ{¦¡¡DÀ³¦³ºÉ¦³³á¡I¡IAAA6Q ', via SMTP from 116.30.246.36
Wed, 26 Mar 2008 09:11:00 CET:26769: clamdscan: finished scan in 0.004603 secs
Wed, 26 Mar 2008 09:11:00 CET:12632: SA: yup, this smells like SPAM - hits=24.5/5.0/5.1 - message deleted ...
Wed, 26 Mar 2008 09:11:00 CET:12632: SA: finished scan in 2.657502 secs - hits=24.5/5.0
Wed, 26 Mar 2008 09:11:00 CET:12632: ini_sc: finished scan of "/var/spool/qscan/tmp/ns26252.ovh.net120651905776712632"...
Wed, 26 Mar 2008 09:11:00 CET:12632: ------ Process 12632 finished. Total of 2.672851 secs
Wed, 26 Mar 2008 09:11:00 CET:6284: +++ starting debugging for process 6284 (ppid=22566) by uid=508
Wed, 26 Mar 2008 09:11:01 CET:23902: w_c: Total time between DATA command and "." was 6.2e-05 secs
Wed, 26 Mar 2008 09:11:01 CET:23902: w_c: elapsed time from start 7.1e-05 secs
Wed, 26 Mar 2008 09:11:01 CET:23902: g_e_h: return-path='wihvxfxuxss@yahoo.com', recips='moon.bebe@msa.hinet.net,jh.lin724@msa.hinet.net,battle.zone@msa.hinet.net,su.weijung@msa.hinet.net,hsifu73.lin@msa.hinet.net,tracy.jcm@msa.hinet.net'
Wed, 26 Mar 2008 09:11:01 CET:23902: from='"tsou laurent" <wihvxfxuxss@yahoo.com>', subj='°Ó°È³nÅé. ±M·~¾Ç²ß. ¥®±Ð³nÅé. ¦r«¬³nÅé', via SMTP from 116.25.131.67
Wed, 26 Mar 2008 09:11:01 CET:23902: clamdscan: finished scan in 0.004323 secs
Wed, 26 Mar 2008 09:11:01 CET:23283: SA: yup, this smells like SPAM - hits=22.0/5.0/5.1 - message deleted ...
Wed, 26 Mar 2008 09:11:01 CET:23283: SA: finished scan in 10.135155 secs - hits=22.0/5.0
Wed, 26 Mar 2008 09:11:01 CET:23283: ini_sc: finished scan of "/var/spool/qscan/tmp/ns26252.ovh.net120651905076723283"...
Wed, 26 Mar 2008 09:11:01 CET:23283: ------ Process 23283 finished. Total of 10.150963 secs
Wed, 26 Mar 2008 09:11:01 CET:11053: SA: yup, this smells like SPAM - hits=22.9/5.0/5.1 - message deleted ...
Wed, 26 Mar 2008 09:11:01 CET:11053: SA: finished scan in 4.240208 secs - hits=22.9/5.0
Wed, 26 Mar 2008 09:11:01 CET:11053: ini_sc: finished scan of "/var/spool/qscan/tmp/ns26252.ovh.net120651905676711053"...
Wed, 26 Mar 2008 09:11:01 CET:11053: ------ Process 11053 finished. Total of 4.256832 secs
Wed, 26 Mar 2008 09:11:01 CET:6284: w_c: Total time between DATA command and "." was 6.7e-05 secs
Wed, 26 Mar 2008 09:11:01 CET:6284: w_c: elapsed time from start 7.3e-05 secs
Wed, 26 Mar 2008 09:11:01 CET:6284: g_e_h: return-path='´é±ö_@xuite.net', recips='76.10.10@yahoo.com.tw,tenso@yahoo.com.tw,chin_chen168@ms94.url.com.tw,jjwc@yahoo.com.tw,chin78599@ms93.url.com.tw,compp@ms47.url.com.tw'
Wed, 26 Mar 2008 09:11:01 CET:6284: from='"¤ý²Q§g" <´é±ö_@xuite.net>', subj='³nÅ鶰¤¤Àç¥Ø¿ý§ó·s³qª¾jlTgAF', via SMTP from 116.30.246.36
Wed, 26 Mar 2008 09:11:01 CET:6284: clamdscan: finished scan in 0.00413 secs
Wed, 26 Mar 2008 09:11:01 CET:3718: w_c: Total time between DATA command and "." was 6.1e-05 secs
Wed, 26 Mar 2008 09:11:01 CET:3718: w_c: elapsed time from start 7.3e-05 secs
Wed, 26 Mar 2008 09:11:01 CET:3718: g_e_h: return-path='_ªl¨}¥ç@xuite.net', recips='rufer@yahoo.com.tw,cross320@yahoo.com.tw,ivant@yahoo.com.tw,cutiepuppy18@yahoo.com.tw'
Wed, 26 Mar 2008 09:11:01 CET:3718: from='"§õ«T¥°" <_ªL¨}¥ç@xuite.net>', subj='À³¦³ºÉ¦³!! ºô¸ô¤W³Ì»ô¥þ³Ì«K©y³nÅéºô!!tbUrO', via SMTP from 116.30.246.36
Wed, 26 Mar 2008 09:11:01 CET:3718: clamdscan: finished scan in 0.004183 secs
Wed, 26 Mar 2008 09:11:01 CET:73: SA: yup, this smells like SPAM - hits=22.0/5.0/5.1 - message deleted ...
Wed, 26 Mar 2008 09:11:01 CET:73: SA: finished scan in 3.632248 secs - hits=22.0/5.0
Wed, 26 Mar 2008 09:11:01 CET:73: ini_sc: finished scan of "/var/spool/qscan/tmp/ns26252.ovh.net120651905776773"...
Wed, 26 Mar 2008 09:11:01 CET:73: ------ Process 73 finished. Total of 3.649366 secs


ça se remplit vraiment vite chaque seconde :(
Code:

# du -s /home/log/*| sort -rn
571260  /home/log/mail.log
404588  /home/log/mail.info
87648   /home/log/mail.warn
84188   /home/log/xferlog
76876   /home/log/mail.err
47088   /home/log/httpd
29580   /home/log/qmail
29404   /home/log/qmailsmtp


Toutes les secondes, il y a près de 10 spams qui partent ou arrivent de notre dédié...
Nous avons trouvé 2 adresses IP principalement, mais comment les bloquer SVP ???
Il doit bien y avoir un moyen de bloquer l'adresse IP SMTP Linux d'un spammeur sur qmail de notre dédié ?...
SVP, HELP !!!

Ma question est donc simple : Comment bloquer une adresse IP qui nous spamme ???


Last edited by sanddy on Wed Mar 26, 2008 1:25 pm; edited 1 time in total
Back to top
View user's profile Send private message
Bapt
Veteran
Veteran


Joined: 14 Apr 2003
Posts: 1152
Location: Paris

PostPosted: Wed Mar 26, 2008 9:16 am    Post subject: Reply with quote

iptables -I INPUT -s @IP -j DROP
Back to top
View user's profile Send private message
ultrabug
Developer
Developer


Joined: 24 Jan 2005
Posts: 698
Location: Paris

PostPosted: Wed Mar 26, 2008 9:27 am    Post subject: Reply with quote

Euh si j'ai bien compris ton problème, ton serveur qmail est configuré en open relay et c'est grave !

(open relay = accepte de relayer des mails pour n'importe qui)

Bloquer l'IP émettrice ne résoudra ton problème que pour quelques heures car les spammeurs utilisent en majorité des botnets qui par définition ont des milliers d'IP différentes. La vrai solution consiste à coupe qmail et à le configurer pour qu'il ne soit plus un open relay !
Back to top
View user's profile Send private message
sanddy
n00b
n00b


Joined: 26 Mar 2008
Posts: 3

PostPosted: Wed Mar 26, 2008 10:03 am    Post subject: Reply with quote

Bonjour, oui, je l'avais mis en open relay !
J'avais mis : Accepted domain = any domain...

Bon eh bien, j'ai changé tout ça et j'y ai mis nos domaines seulement (Domains listed below...) mais problèmes, nos mails se mettent en queue si je ne mets pas open relay :( :

Code:

# /var/qmail/bin/qmail-qstat
messages in queue: 26
messages in queue but not yet preprocessed: 6


ça grossit vite...
Back to top
View user's profile Send private message
geekounet
Bodhisattva
Bodhisattva


Joined: 11 Oct 2004
Posts: 3772
Location: Wellington, Aotearoa

PostPosted: Wed Mar 26, 2008 1:06 pm    Post subject: Reply with quote

Salut et bienvenue !
Peux-tu mettre ton titre du topic en conformité avec les conventions de notre forum s'il te plait ? Merci :)
Back to top
View user's profile Send private message
sanddy
n00b
n00b


Joined: 26 Mar 2008
Posts: 3

PostPosted: Wed Mar 26, 2008 1:27 pm    Post subject: Reply with quote

Voilà, j'ai changé le titre ;)

Alala, j'ai toujours des problèmes de queue d'emails :


Code:
# /etc/init.d/qmail restart
 * Starting Qmail ...                                                                                                                                  [ ok ]
 * Starting Pop ...                                                                                                                                    [ ok ]
 * Starting Smtp ...                                                                                                                                   [ ok ]
multilog: fatal: unable to lock directory /var/log/qmailsmtp/: temporary failure


Comment faire pour éviter que trop d'e-mails ne soient mis en queue svp ???
Back to top
View user's profile Send private message
kwenspc
Advocate
Advocate


Joined: 21 Sep 2003
Posts: 4954

PostPosted: Wed Mar 26, 2008 1:36 pm    Post subject: Reply with quote

là je crois qu'il te faut lire la doc qmail. Déjà mettre le serveur en open relay c'est la meilleur manière de voir son serveur mail blacklisté. Arrête ton serveur mail, lis la doc qmail et procède pas à pas en configurant le strict nécessaire.
_________________
membre officieux du SAV Ati GEntoo
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index French All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum