[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: need help configuring hosts.deny

Hi,

ok, here I attached a relevant piece of the logfile.

A few things you should know:
jon00793.speed.planet.nl is the name the provider gave this internet connection
sacred-key.org is the name I chose myself for this machine
onix.sacred-key.org is the machine itself

Mail is sent with sender 'hrenzen.doc@sacred-key.org'. This
('hrenzen.doc') is not a user on the system. A computer attached to that
network (locally, domain=sacred-key.org, ip-range=192.168.0.*) had been
affected by a virus which sends random pieces
of text documents to people we do not know.
Then you see 8 addresses this message is send to. These are the people
that complained about getting 20 mails a day.
Below that, you see a connection incoming from 194.151.193.83. This looks
suspicious. I have no idea what this does. It seems that it tries to send
a message, but stores it for about an hour before really doing it. 

I traced this address down to: rt-dc2-ias-ar13.nl.kpn.net (195.190.236.78)
before traceroute only showed ***. 

This contacts and sending mail is repeated every hour.


I have no idea why Postfix accepts mail from that address. It is
configured as a mail relay for sending mail from local clients (all have
set domain to 'sacred-key.org' and ip's 192.168.0.1, etc.).
I have only configured Postfix explicitely to relay for sending mail with
sender 'latus@conceptsfa.nl' with:
luser_relay = latus@conceptsfa.nl
relay_domains = tudelft.nl

This is my mothers email address. I had to do this because their isp
account (conceptsfa.nl) was not very stable, but the other (more
stable) isp (tudelft.nl) that I have installed later, did not relay mail
for the domain conceptsfa.nl, so I configured my server to send their
mail with.

Now comes the strange part: soon after the virus became vital, Postfix (I
guess) deceided to give some mails as sender 'hrenzen.doc@sacred-key.org'
and link this address to 'latus@conceptsfa.nl', so everything that is sent
to 'hrenzen.doc' is delivered to 'latus@conceptsfa.nl'. Why does postfix
to this? I am sure that my mothers computer does not contain a virus
because the computer crashed a few weeks ago, so I keep an eye on the
mail.


Thanks for reading all of this, I am very curious about what happened. 
Sebastiaan


On Wed, 25 Apr 2001, Joe 'Zonker' Brockmeier wrote:

> On Wed, 25 Apr 2001, Sebastiaan wrote:
> > I have reason to belive that my computer is used as a relay host for
> > spam. Walking through the logs, I found one ip number which has no ip
> > name, but it connects the computer every hour or so and sends some mail.
> 
> Could you post the log please? It might help a little bit.
> 
> > I want to block this address, but I have not succeeded in configuring the
> > hosts.deny file correctly. This is what I have:
> > 
> > hosts.allow: empty
> > hosts.deny:
> > ALL: 1.2.3.4
> > ALL: PARANOID
> > 
> > where 1.2.3.4 is the spammers' address. I want to deny him smtp access (or
> > all access to this machine).
> > 
> > I tried to do this with my own ip, but I was still able to connect to port
> > 25. Telnet access was forbidden however.
> >
> > I use Postfix as maildaemon.
> 
> You can find the Postfix faq here:
> http://www.postfix.org/faq.html
> 
> It may give you the answer you're looking for. Also, you might want
> to track down the ISP for the IP that you believe is using your 
> box as a relay. This is illegal, and I believe in many states you
> can prosecute the spammer, which I heartily encourage you to do.
> They are abusing your network and resources, as well as inflicting
> unwanted intrusions on a large number of other folks - if you lack
> the resources/expertise to track them down, please post the IP to
> the list rather than protecting them and allow someone from the list
> to do it. 
> 
> Take care,
> 
> Zonker
> --
> Joe 'Zonker' Brockmeier -=- jbrockmeier@earthlink.net
> http://www.ZonkerBooks.net/ -=- ICQ: 43599611
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> Friends help you move. Real friends help you move bodies.
> 
> 

Apr 22 06:55:01 onix postfix/pickup[21378]: 9E13C17C23: uid=0 from=<root>
Apr 22 06:55:02 onix postfix/cleanup[26465]: 9E13C17C23: message-id=<20010422045500.9E13C17C23@onix.sacred-key.org>
Apr 22 06:55:02 onix postfix/qmgr[20169]: 9E13C17C23: from=<root@sacred-key.org>, size=599 (queue active)
Apr 22 06:55:03 onix postfix/local[26467]: 9E13C17C23: to=<sebastia@sacred-key.org>, relay=local, delay=3, status=sent ("|/usr/bin/procmail")
Apr 22 06:59:40 onix postfix/smtpd[26470]: connect from murphy.debian.org[216.234.231.6]
Apr 22 06:59:40 onix postfix/smtpd[26470]: DCFBB1728B: client=murphy.debian.org[216.234.231.6]
Apr 22 06:59:42 onix postfix/cleanup[26471]: DCFBB1728B: message-id=<[🔎] 20010422145859.A18087@zip.com.au>
Apr 22 06:59:42 onix postfix/cleanup[26471]: DCFBB1728B: resent-message-id=<TiMK4D.A.XeC.sUm46@murphy>
Apr 22 06:59:42 onix postfix/qmgr[20169]: DCFBB1728B: from=<bounce-debian-user=sebas=jon00793.speed.planet.nl@lists.debian.org>, size=3576 (queue active)
Apr 22 06:59:42 onix postfix/smtpd[26470]: disconnect from murphy.debian.org[216.234.231.6]
Apr 22 06:59:43 onix postfix/local[26473]: DCFBB1728B: to=<sebas@jon00793.speed.planet.nl>, relay=local, delay=3, status=sent ("|/usr/bin/procmail")
Apr 22 07:07:46 onix postfix/qmgr[20169]: 46EC81792A: from=<hrenzen.doc@sacred-key.org>, size=63332 (queue active)
Apr 22 07:07:47 onix postfix/qmgr[20169]: 81C171792B: from=<hrenzen.doc@sacred-key.org>, size=62772 (queue active)
Apr 22 07:07:49 onix postfix/smtp[26479]: 46EC81792A: to=<e.c.c.debrouwer@kub.nl>, relay=mail.wxs.nl[195.121.6.51], delay=225040, status=deferred (lost connection with mail.wxs.nl[195.121.6.51] while sending message body)
Apr 22 07:07:49 onix postfix/smtp[26479]: 46EC81792A: to=<eborn@minkels.nl>, relay=mail.wxs.nl[195.121.6.51], delay=225040, status=deferred (lost connection with mail.wxs.nl[195.121.6.51] while sending message body)
Apr 22 07:07:50 onix postfix/smtp[26479]: 46EC81792A: to=<Danny.le.Bruyn@omdnl.nl>, relay=mail.wxs.nl[195.121.6.51], delay=225040, status=deferred (lost connection with mail.wxs.nl[195.121.6.51] while sending message body)
Apr 22 07:07:50 onix postfix/smtp[26479]: 46EC81792A: to=<f.van.strien@vedior.nl>, relay=mail.wxs.nl[195.121.6.51], delay=225041, status=deferred (lost connection with mail.wxs.nl[195.121.6.51] while sending message body)
Apr 22 07:07:50 onix postfix/smtp[26480]: 81C171792B: to=<e.boumeester.oriflame@filternet.nl>, relay=mail.wxs.nl[195.121.6.51], delay=215374, status=deferred (lost connection with mail.wxs.nl[195.121.6.51] while sending message body)
Apr 22 07:07:51 onix postfix/smtp[26480]: 81C171792B: to=<robvbeest@hotmail.com>, relay=mail.wxs.nl[195.121.6.51], delay=215374, status=deferred (lost connection with mail.wxs.nl[195.121.6.51] while sending message body)
Apr 22 07:07:51 onix postfix/smtp[26480]: 81C171792B: to=<ipctcc@worldonline.nl>, relay=mail.wxs.nl[195.121.6.51], delay=215375, status=deferred (lost connection with mail.wxs.nl[195.121.6.51] while sending message body)
Apr 22 07:07:51 onix postfix/smtp[26480]: 81C171792B: to=<copyhous@xs4all.nl>, relay=mail.wxs.nl[195.121.6.51], delay=215375, status=deferred (lost connection with mail.wxs.nl[195.121.6.51] while sending message body)
Apr 22 07:08:01 onix postfix/smtpd[26483]: connect from unknown[194.151.193.83]
Apr 22 07:08:01 onix postfix/smtpd[26483]: 9C7121728B: client=unknown[194.151.193.83]
Apr 22 07:08:01 onix postfix/cleanup[26484]: 9C7121728B: message-id=<sae283d1.040@mail.vedior.nl>
Apr 22 07:08:02 onix postfix/qmgr[20169]: 9C7121728B: from=<>, size=1134 (queue active)
Apr 22 07:08:02 onix postfix/smtpd[26483]: disconnect from unknown[194.151.193.83]
Apr 22 07:08:02 onix postfix/cleanup[26484]: 93A6717C23: message-id=<sae283d1.040@mail.vedior.nl>
Apr 22 07:08:02 onix postfix/qmgr[20169]: 93A6717C23: from=<>, size=1276 (queue active)
Apr 22 07:08:02 onix postfix/local[26485]: 9C7121728B: to=<grenzen.doc@sacred-key.org>, relay=local, delay=1, status=sent (forwarded as 93A6717C23)
Apr 22 07:08:03 onix postfix/smtp[26479]: 93A6717C23: to=<latus@conceptsfa.nl>, relay=mail.wxs.nl[195.121.6.51], delay=1, status=sent (250 Message received: GC6GXE03.JMT)
Apr 22 07:48:06 onix postfix/smtpd[26495]: connect from murphy.debian.org[216.234.231.6]
Reply to: