| View previous topic :: View next topic |
| Author |
Message |
sanddy
n00b
Joined: 26 Mar 2008
Posts: 3
|
 Posted: Wed Mar 26, 2008 8:34 am Post subject: [QMAIL] Infectés de spams, messages in queue |
 |
|
Bonjour,
Depuis que nous avons essayé de mettre à jour notre version, nous sommes infectés de spams...
Tous les e-mails de notre serveur dédié gentoo release 2 d'ovh sont encore bloqués ! 
| Code: |
# /var/qmail/bin/qmail-qstat
messages in queue: 276
messages in queue but not yet preprocessed: 203
|
Plusieurs fichiers continuent à se remplir sans arrêt !
| Code: |
# du -s /var/spool/qscan/*| sort -rn
481440 /var/spool/qscan/qmail-queue.log
12188 /var/spool/qscan/quarantine
|
Les derniers logs de qmail-queue :
| Code: |
Wed, 26 Mar 2008 09:10:59 CET:28357: +++ starting debugging for process 28357 (p pid=28446) by uid=508
Wed, 26 Mar 2008 09:10:59 CET:20190: SA: yup, this smells like SPAM - hits=25.3/ 5.0/5.1 - message deleted ...
Wed, 26 Mar 2008 09:10:59 CET:20190: SA: finished scan in 3.359068 secs - hits=2 5.3/5.0
Wed, 26 Mar 2008 09:10:59 CET:20190: ini_sc: finished scan of "/var/spool/qscan/ tmp/ns26252.ovh.net120651905576720190"...
Wed, 26 Mar 2008 09:10:59 CET:20190: ------ Process 20190 finished. Total of 3.3 75677 secs
Wed, 26 Mar 2008 09:11:00 CET:26769: +++ starting debugging for process 26769 (ppid=16408) by uid=508
Wed, 26 Mar 2008 09:11:00 CET:3718: +++ starting debugging for process 3718 (ppid=31757) by uid=508
Wed, 26 Mar 2008 09:11:00 CET:23902: +++ starting debugging for process 23902 (ppid=3598) by uid=508
Wed, 26 Mar 2008 09:11:00 CET:28357: w_c: Total time between DATA command and "." was 6.5e-05 secs
Wed, 26 Mar 2008 09:11:00 CET:28357: w_c: elapsed time from start 7.4e-05 secs
Wed, 26 Mar 2008 09:11:00 CET:28357: g_e_h: return-path='smjyjrven@yahoo.com', recips='vio-777@yahoo.com.tw,jwphd2088@yahoo.com.tw,nike8323912@yahoo.com.tw,sophie_liu_0702@yahoo.com.tw,ing0521@yahoo.com.tw,jacobliu44@yahoo.com.tw,cyeekenny@yahoo.com.tw,janesd4813@yahoo.com.tw,good_0108@yahoo.com.tw'
Wed, 26 Mar 2008 09:11:00 CET:28357: from='"hans chris" <smjyjrven@yahoo.com>', subj='¦n±d¬Û³ø¡A½ÐªY½à¤@¤U!', via SMTP from 116.7.21.38
Wed, 26 Mar 2008 09:11:00 CET:28357: clamdscan: finished scan in 0.004448 secs
Wed, 26 Mar 2008 09:11:00 CET:26769: w_c: Total time between DATA command and "." was 6e-05 secs
Wed, 26 Mar 2008 09:11:00 CET:26769: w_c: elapsed time from start 7.5e-05 secs
Wed, 26 Mar 2008 09:11:00 CET:26769: g_e_h: return-path='®l¤é¶§¥úªºd.@gmail.com', recips='pcmlam@yahoo.com.tw,cucei@yahoo.com.tw,vland@yahoo.com.tw,iiself@ms95.url.com.tw'
Wed, 26 Mar 2008 09:11:00 CET:26769: from='"¶¾µa¤¤" <®L¤é¶§¥úªºD.@gmail.com>', subj='¡¹³Ì·s¹CÀ¸¡D¹qµø¹CÀ¸¡DPSPµ{¦¡¡DÀ³¦³ºÉ¦³³á¡I¡IAAA6Q ', via SMTP from 116.30.246.36
Wed, 26 Mar 2008 09:11:00 CET:26769: clamdscan: finished scan in 0.004603 secs
Wed, 26 Mar 2008 09:11:00 CET:12632: SA: yup, this smells like SPAM - hits=24.5/5.0/5.1 - message deleted ...
Wed, 26 Mar 2008 09:11:00 CET:12632: SA: finished scan in 2.657502 secs - hits=24.5/5.0
Wed, 26 Mar 2008 09:11:00 CET:12632: ini_sc: finished scan of "/var/spool/qscan/tmp/ns26252.ovh.net120651905776712632"...
Wed, 26 Mar 2008 09:11:00 CET:12632: ------ Process 12632 finished. Total of 2.672851 secs
Wed, 26 Mar 2008 09:11:00 CET:6284: +++ starting debugging for process 6284 (ppid=22566) by uid=508
Wed, 26 Mar 2008 09:11:01 CET:23902: w_c: Total time between DATA command and "." was 6.2e-05 secs
Wed, 26 Mar 2008 09:11:01 CET:23902: w_c: elapsed time from start 7.1e-05 secs
Wed, 26 Mar 2008 09:11:01 CET:23902: g_e_h: return-path='wihvxfxuxss@yahoo.com', recips='moon.bebe@msa.hinet.net,jh.lin724@msa.hinet.net,battle.zone@msa.hinet.net,su.weijung@msa.hinet.net,hsifu73.lin@msa.hinet.net,tracy.jcm@msa.hinet.net'
Wed, 26 Mar 2008 09:11:01 CET:23902: from='"tsou laurent" <wihvxfxuxss@yahoo.com>', subj='°Ó°È³nÅé. ±M·~¾Ç²ß. ¥®±Ð³nÅé. ¦r«¬³nÅé', via SMTP from 116.25.131.67
Wed, 26 Mar 2008 09:11:01 CET:23902: clamdscan: finished scan in 0.004323 secs
Wed, 26 Mar 2008 09:11:01 CET:23283: SA: yup, this smells like SPAM - hits=22.0/5.0/5.1 - message deleted ...
Wed, 26 Mar 2008 09:11:01 CET:23283: SA: finished scan in 10.135155 secs - hits=22.0/5.0
Wed, 26 Mar 2008 09:11:01 CET:23283: ini_sc: finished scan of "/var/spool/qscan/tmp/ns26252.ovh.net120651905076723283"...
Wed, 26 Mar 2008 09:11:01 CET:23283: ------ Process 23283 finished. Total of 10.150963 secs
Wed, 26 Mar 2008 09:11:01 CET:11053: SA: yup, this smells like SPAM - hits=22.9/5.0/5.1 - message deleted ...
Wed, 26 Mar 2008 09:11:01 CET:11053: SA: finished scan in 4.240208 secs - hits=22.9/5.0
Wed, 26 Mar 2008 09:11:01 CET:11053: ini_sc: finished scan of "/var/spool/qscan/tmp/ns26252.ovh.net120651905676711053"...
Wed, 26 Mar 2008 09:11:01 CET:11053: ------ Process 11053 finished. Total of 4.256832 secs
Wed, 26 Mar 2008 09:11:01 CET:6284: w_c: Total time between DATA command and "." was 6.7e-05 secs
Wed, 26 Mar 2008 09:11:01 CET:6284: w_c: elapsed time from start 7.3e-05 secs
Wed, 26 Mar 2008 09:11:01 CET:6284: g_e_h: return-path='´é±ö_@xuite.net', recips='76.10.10@yahoo.com.tw,tenso@yahoo.com.tw,chin_chen168@ms94.url.com.tw,jjwc@yahoo.com.tw,chin78599@ms93.url.com.tw,compp@ms47.url.com.tw'
Wed, 26 Mar 2008 09:11:01 CET:6284: from='"¤ý²Q§g" <´é±ö_@xuite.net>', subj='³nÅ鶰¤¤Àç¥Ø¿ý§ó·s³qª¾jlTgAF', via SMTP from 116.30.246.36
Wed, 26 Mar 2008 09:11:01 CET:6284: clamdscan: finished scan in 0.00413 secs
Wed, 26 Mar 2008 09:11:01 CET:3718: w_c: Total time between DATA command and "." was 6.1e-05 secs
Wed, 26 Mar 2008 09:11:01 CET:3718: w_c: elapsed time from start 7.3e-05 secs
Wed, 26 Mar 2008 09:11:01 CET:3718: g_e_h: return-path='_ªl¨}¥ç@xuite.net', recips='rufer@yahoo.com.tw,cross320@yahoo.com.tw,ivant@yahoo.com.tw,cutiepuppy18@yahoo.com.tw'
Wed, 26 Mar 2008 09:11:01 CET:3718: from='"§õ«T¥°" <_ªL¨}¥ç@xuite.net>', subj='À³¦³ºÉ¦³!! ºô¸ô¤W³Ì»ô¥þ³Ì«K©y³nÅéºô!!tbUrO', via SMTP from 116.30.246.36
Wed, 26 Mar 2008 09:11:01 CET:3718: clamdscan: finished scan in 0.004183 secs
Wed, 26 Mar 2008 09:11:01 CET:73: SA: yup, this smells like SPAM - hits=22.0/5.0/5.1 - message deleted ...
Wed, 26 Mar 2008 09:11:01 CET:73: SA: finished scan in 3.632248 secs - hits=22.0/5.0
Wed, 26 Mar 2008 09:11:01 CET:73: ini_sc: finished scan of "/var/spool/qscan/tmp/ns26252.ovh.net120651905776773"...
Wed, 26 Mar 2008 09:11:01 CET:73: ------ Process 73 finished. Total of 3.649366 secs
|
ça se remplit vraiment vite chaque seconde
| Code: |
# du -s /home/log/*| sort -rn
571260 /home/log/mail.log
404588 /home/log/mail.info
87648 /home/log/mail.warn
84188 /home/log/xferlog
76876 /home/log/mail.err
47088 /home/log/httpd
29580 /home/log/qmail
29404 /home/log/qmailsmtp
|
Toutes les secondes, il y a près de 10 spams qui partent ou arrivent de notre dédié...
Nous avons trouvé 2 adresses IP principalement, mais comment les bloquer SVP ???
Il doit bien y avoir un moyen de bloquer l'adresse IP SMTP Linux d'un spammeur sur qmail de notre dédié ?...
SVP, HELP !!!
Ma question est donc simple : Comment bloquer une adresse IP qui nous spamme ???
Last edited by sanddy on Wed Mar 26, 2008 1:25 pm; edited 1 time in total |
|
| Back to top |
|
 |
Bapt
Veteran
Joined: 14 Apr 2003
Posts: 1152
Location: Paris
|
| Posted: Wed Mar 26, 2008 9:16 am Post subject: |
|
|
| iptables -I INPUT -s @IP -j DROP |
|
| Back to top |
|
|
ultrabug
Developer
Joined: 24 Jan 2005
Posts: 698
Location: Paris
|
| Posted: Wed Mar 26, 2008 9:27 am Post subject: |
|
|
Euh si j'ai bien compris ton problème, ton serveur qmail est configuré en open relay et c'est grave !
(open relay = accepte de relayer des mails pour n'importe qui)
Bloquer l'IP émettrice ne résoudra ton problème que pour quelques heures car les spammeurs utilisent en majorité des botnets qui par définition ont des milliers d'IP différentes. La vrai solution consiste à coupe qmail et à le configurer pour qu'il ne soit plus un open relay ! |
|
| Back to top |
|
|
sanddy
n00b
Joined: 26 Mar 2008
Posts: 3
|
| Posted: Wed Mar 26, 2008 10:03 am Post subject: |
|
|
Bonjour, oui, je l'avais mis en open relay !
J'avais mis : Accepted domain = any domain...
Bon eh bien, j'ai changé tout ça et j'y ai mis nos domaines seulement (Domains listed below...) mais problèmes, nos mails se mettent en queue si je ne mets pas open relay :
| Code: |
# /var/qmail/bin/qmail-qstat
messages in queue: 26
messages in queue but not yet preprocessed: 6
|
ça grossit vite... |
|
| Back to top |
|
|
geekounet
Bodhisattva
Joined: 11 Oct 2004
Posts: 3772
|
| Posted: Wed Mar 26, 2008 1:06 pm Post subject: |
|
|
Salut et bienvenue !
Peux-tu mettre ton titre du topic en conformité avec les conventions de notre forum s'il te plait ? Merci  |
|
| Back to top |
|
|
sanddy
n00b
Joined: 26 Mar 2008
Posts: 3
|
| Posted: Wed Mar 26, 2008 1:27 pm Post subject: |
|
|
Voilà, j'ai changé le titre 
Alala, j'ai toujours des problèmes de queue d'emails :
| Code: | # /etc/init.d/qmail restart
* Starting Qmail ... [ ok ]
* Starting Pop ... [ ok ]
* Starting Smtp ... [ ok ]
multilog: fatal: unable to lock directory /var/log/qmailsmtp/: temporary failure |
Comment faire pour éviter que trop d'e-mails ne soient mis en queue svp ??? |
|
| Back to top |
|
|
kwenspc
Advocate
Joined: 21 Sep 2003
Posts: 4954
|
| Posted: Wed Mar 26, 2008 1:36 pm Post subject: |
|
|
là je crois qu'il te faut lire la doc qmail. Déjà mettre le serveur en open relay c'est la meilleur manière de voir son serveur mail blacklisté. Arrête ton serveur mail, lis la doc qmail et procède pas à pas en configurant le strict nécessaire.
_________________
membre officieux du SAV Ati GEntoo |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
French
