DOS attacked :(

Pete pete at eatathome.com.au
Thu Mar 4 12:27:20 GMT 2004 

Drew Marshall wrote:

>Rick Cooper said:
>
>
>>>-----Original Message-----
>>>From: Pete [mailto:pete at eatathome.com.au]
>>>Sent: Thursday, March 04, 2004 6:26 AM
>>>To: Rick Cooper; Julian Field; MailScanner mailing list
>>>Subject: Re: DOS attacked :(
>>>
>>>
>>>So you're sure thats all i have to do, no messing
>>>about and trying to learn bind? If i have to learn to
>>>drive Bind i am not going to bother, but its its a
>>>matter of just starting it up, am happy to try, even
>>>will try right now.
>>>
>>>Other thing i wanted to know was whether an upgrade to
>>>4.28.8-4 would be the shot? Or stick with latest stable?
>>>
>>>
>>I would sort out your network problems before you go one more
>>step, MailScanner has nothing to do with this if you cannot even
>>manully ping a RBL host by name.
>>
>>It's been awhile since I used a bone stock redhat configuration
>>and I have never bothered with RH.9 but I am sure the bone stock
>>named config is only a caching server so it alows updates from
>>none, listens on 127.0.0.1 only and allows access from 127.0.0.1
>>only. No need to do anything clever just resolve for the
>>localhost only.
>>
>>
>
>This will also stop Postfix if you are using any of it's UCE features.
>Assuming you get some form of DNS running again, I would start just one
>Postfix process - the out going one (Postfix not postfix.in) as $ postfix
>-C /etc/postfix start and watch your logs, you should see any 'out going'
>(Scanned) queued mail be delivered, then start MailScanner and get MS to
>clear it's queue, ten re-start the postfix.in to allow more incoming. Heep
>an eye on the log files and the mail queue ($ mailq). That at least will
>tell you where the hold up occrs (If any where).
>
>
>
>>Just do the items I described earlier  and redo your manual rbl
>>tests. If you can ping by name then try your MS tests again, I
>>think you will be amazed. But once you get things sorted out
>>don't forget to chkconfig --add named and chkconfig named on
>>
>>If you cannot resolve a host name nothing is going to work
>>properly, I can't image how you are sending the mail? Have you
>>looked at your outbound queue?
>>
>>
>>
>>>
>>>
>>>
>>>>Sorry, I thought you said you installed from source.
>>>>
>>>>Have you thought about enabling named
>>>>
>>>>
>>>(/etc/init.d/named start)
>>>
>>>
>>>>on your box, the default would be just a caching name
>>>>
>>>>
>>>server but
>>>
>>>
>>>>it would resolve from root servers without using the
>>>>
>>>>
>>>external DNS
>>>
>>>
>>>>servers as the default and set your /etc/resolv.conf
>>>>
>>>>
>>>to something
>>>
>>>
>>>>like
>>>>
>>>>options ndots:1
>>>>nameserver 127.0.0.1
>>>>nameserver current.ns.1.address
>>>>nameserver current.ns2.address
>>>>multi on
>>>>
>>>>then /etc/init.d/network restart
>>>>
>>>>You may well see a noticeable improvement with RBLS
>>>>
>>>>
>>>and such that
>>>
>>>
>>>>require a lot of DNS lookups. If it helps just add/enable with
>>>>chkconfig
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
This is getting really wierd, i tried with both caching nameserrver on
and off and have tried with 6 or more different external DNS that seem
to work ok when using on my XP machine. I get same result in the MS
debug, although from the MS machine i can ping any amount of domain
names, ones i have never tried to access before now and they work fine,
but the RBLs always fail. Have attached the log while debugging and the
output of the debug.



-------------- next part --------------
[root at mail01 root]# taillog 0
Mar  4 23:24:10 mail01 MailScanner[26092]: MailScanner E-Mail Virus Scanner version 4.27.7 starting...
Mar  4 23:24:10 mail01 MailScanner[26092]: Config: calling custom init function MailWatchLogging
Mar  4 23:24:10 mail01 MailScanner[26092]: Initialising database connection
Mar  4 23:24:10 mail01 MailScanner[26092]: Finished initialising database connection
Mar  4 23:25:05 mail01 MailScanner[26092]: lock.pl sees Config  LockType =  flock
Mar  4 23:25:05 mail01 MailScanner[26092]: lock.pl sees have_module =  0
Mar  4 23:25:06 mail01 MailScanner[26092]: Using locktype = flock
Mar  4 23:25:07 mail01 MailScanner[26092]: New Batch: Found 6 messages waiting
Mar  4 23:25:07 mail01 MailScanner[26092]: New Batch: Scanning 1 messages, 38361 bytes
Mar  4 23:25:07 mail01 MailScanner[26092]: Spam Checks: Starting
Mar  4 23:25:46 mail01 MailScanner[26092]: SpamAssassin returned 0
Mar  4 23:25:47 mail01 MailScanner[26092]: Created attachment dirs for 1 messages
Mar  4 23:25:47 mail01 MailScanner[26092]: Virus and Content Scanning: Starting
Mar  4 23:25:47 mail01 MailScanner[26092]: Commencing scanning by clamav...
Mar  4 23:25:53 mail01 MailScanner[26092]: /var/spool/MailScanner/incoming/26092/./8546833984/pic_regid.zip: Worm.SomeFool.Gen-1 FOUND
Mar  4 23:25:53 mail01 MailScanner[26092]: Completed scanning by clamav
Mar  4 23:25:53 mail01 MailScanner[26092]: Virus Scanning: ClamAV found 1 infections
Mar  4 23:25:53 mail01 MailScanner[26092]: Infected message 8546833984 came from 69.50.209.211
Mar  4 23:25:53 mail01 MailScanner[26092]: Virus Scanning: Found 1 viruses
Mar  4 23:25:53 mail01 MailScanner[26092]: Saved entire message to /var/spool/MailScanner/quarantine/20040304/8546833984
Mar  4 23:25:53 mail01 MailScanner[26092]: Saved infected "pic_regid.zip" to /var/spool/MailScanner/quarantine/20040304/8546833984
Mar  4 23:25:54 mail01 MailScanner[26092]: Requeue: 8546833984 to 081C0C1B7
Mar  4 23:25:54 mail01 MailScanner[26092]: About to deliver 1 messages
-------------- next part --------------
Starting MailScanner...
In Debugging mode, not forking...
debug: Score set 0 chosen.
debug: running in taint mode? no
debug: ignore: test message to precompile patterns and load modules
debug: using "/usr/share/spamassassin" for default rules dir
debug: using "/etc/mail/spamassassin" for site rules dir
debug: using "/etc/MailScanner/spam.assassin.prefs.conf" for user prefs file
debug: Score set 1 chosen.
debug: Initialising learner
debug: is Net::DNS::Resolver available? yes
debug: trying (3) amazon.com...
debug: looking up MX for 'amazon.com'
debug: MX for 'amazon.com' exists? 1
debug: MX lookup of amazon.com succeeded => Dns available (set dns_available to hardcode)
debug: is DNS available? 1
debug: all '*From' addrs: ignore at compiling.spamassassin.taint.org
debug: running header regexp tests; score so far=0
debug: running body-text per-line regexp tests; score so far=1.27
debug: running raw-body-text per-line regexp tests; score so far=1.27
debug: running uri tests; score so far=1.27
debug: uri tests: Done uriRE
debug: running full-text regexp tests; score so far=1.27
debug: DCCifd is not available: no r/w dccifd socket found.
debug: all '*To' addrs:
debug: RBL: success for 0 of 1 queries
debug: RBL: timeout for rfci-dsn after 40 seconds
debug: running meta tests; score so far=1.27
debug: is spam? score=1.27 required=5 tests=DATE_MISSING,NO_REAL_NAME
debug: received-header: parsed as [ ip=69.50.209.211 rdns=nsurl.us helo=server.nsurl.us by=mail01.mteliza.com.au ident= ]
debug: received-header: parsed as [ ip=203.217.40.138 rdns=m040-138.nv.iinet.net.au helo=eatathome.com.au by=server.nsurl.us ident= ]
debug: received-header: 'by' mail01.mteliza.com.au has public IP 203.55.54.21
debug: received-header: relay 69.50.209.211 trusted? no
debug: received-header: relay 203.217.40.138 trusted? no
debug: is Net::DNS::Resolver available? yes
debug: all '*From' addrs: pete at eatathome.com.au
debug: running header regexp tests; score so far=0
debug: running body-text per-line regexp tests; score so far=0
debug: running raw-body-text per-line regexp tests; score so far=0.077
debug: running uri tests; score so far=0.077
debug: uri tests: Done uriRE
debug: running full-text regexp tests; score so far=0.077
debug: DCCifd is not available: no r/w dccifd socket found.
debug: all '*To' addrs: prussell at mteliza.com.au
debug: DNS MX records found: 1
debug: forged-HELO: from=nsurl.us helo=server.nsurl.us by=mteliza.com.au
debug: forged-HELO: mismatch on HELO: 'server.nsurl.us' != 'nsurl.us'
debug: forged-HELO: from=iinet.net.au helo=eatathome.com.au by=server.nsurl.us
debug: forged-HELO: mismatch on HELO: 'eatathome.com.au' != 'iinet.net.au'
debug: forged-HELO: mismatch on from: 'nsurl.us' != 'server.nsurl.us'
debug: RBL: success for 0 of 17 queries
debug: RBL: timeout for rfci-dsn after 40 seconds
debug: RBL: timeout for opm after 40 seconds
debug: RBL: timeout for njabl-notfirsthop,njabl after 40 seconds
debug: RBL: timeout for opm after 40 seconds
debug: RBL: timeout for sorbs after 40 seconds
debug: RBL: timeout for sorbs,sorbs-notfirsthop after 40 seconds
debug: RBL: timeout for njabl after 40 seconds
debug: RBL: timeout for dsbl after 40 seconds
debug: RBL: timeout for rfci after 40 seconds
debug: RBL: timeout for bsp-untrusted after 40 seconds
debug: RBL: timeout for sbl after 40 seconds
debug: RBL: timeout for dsbl after 40 seconds
debug: RBL: timeout for bsp-firsttrusted after 40 seconds
debug: RBL: timeout for spamcop after 40 seconds
debug: RBL: timeout for sbl after 40 seconds
debug: RBL: timeout for rfci after 40 seconds
debug: RBL: timeout for spamcop after 40 seconds
debug: running meta tests; score so far=0.077
debug: is spam? score=0.077 required=5 tests=TW_YP

More information about the MailScanner mailing list