Topic: qpsmtpd rules

[alt-network]

Thanks for the responses. It is an issues when you have very large customers crashing because of this.

I have been working with sme since it was e-smith 2.0. I am sorry if I was not detailed. Lot of times I have trouble finding anyone who can help at the tech level.

I want to apologize. In Sme 6.5 it would resend the email back to the email address of the person who sent the email and if the email address was forged it would send it to that email address and not to the person who sent it. I did not know that in sme 7 that they have changed it. I did not do my homework ; )

The badrcptto would not work because the user that the email is being sent to is random.

The virus that came out last week was-
Malware.Trojan.Backdoor.Gen

Thank you for your help!!!!!!!!!!!!!!!

[raem]

alt-network

Out of interest do you run those customers sme7 servers with RBL lists enabled (if so which lists) and with executable content filtering enabled (all except zipv2) and with spamassassin enabled to reject above a score of 15 ?

[alt-network]

Yes on all. I have my customers running on sme since e-smth 2. I have worked with vpn on sme before it was being used. I have found it working better then micro***t from day 1.

I have the spamassassin set at 10 because I have found that any emails over 10 all spam and dont what to waste my time on them.

I have the default rbl works fine and have been looking into fine tuning that.

I also host over 20 websites on sme 6.5 and looking forward to moving over to sme 7 for the improved email handling.

[raem]

alt-network

> I also host over 20 websites on sme 6.5 and looking forward to
> moving over to sme 7 for the improved email handling

So you are not yet using sme7 !
sme7 is better in many respects, not only just mail handling improvements.

[alt-network]

Yes, I agree.

I have a replacement server going in this month with sme 7 but still waiting for my memory upgrade to come in.

[alt-network]

Thank you for your help.

I finely decided to do some homework and learn more about the qpsmtpd.

I found that the goodrcptto plugin int the qpsmtpd is doing what I was looking for.

    http://http.netdevice.com:9080/qmail/patch/goodrcptto-12.patch

"A qmail server will normally accept email for any recipient address at a domain.
This patch causes the server to reject single recipient email to an invalid
recipient, and filter out the invalid recipients from multiple recipient email,
while accepting the message for the valid recipients.
This occurs during the initial SMTP conversation for a reduction in disk I/O.
The server rejects attempts to queue messages to non existent recipients, and joe job bounces to forged recipients, preventing them from becoming double bounces."

What is still happening is that hundards of emails with hundards of email addresses in each email is hitting the server to the point that the qpsmtpd locks.


Under the /var/service/qpsmtpd/control/plugins shows the order of what is checked with each email.

_____________________________________________________________

#------------------------------------------------------------
#              !!DO NOT MODIFY THIS FILE!!
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at http://wiki.contribs.org/development/
#
# Copyright (C) 1999-2006 Mitel Networks Corporation
#------------------------------------------------------------

auth/auth_cvm_unix_local cvm_socket /var/lib/cvm/cvm-unix-local.socket enable_sm
tp no enable_ssmtp yes
check_earlytalker
count_unrecognized_commands 4
# bcc disabled
check_relay
check_norelay

require_resolvable_fromhost
check_basicheaders
# rhsbl disabled
dnsbl
check_badmailfrom
check_badrcptto_patterns
check_badrcptto
check_spamhelo
check_goodrcptto extn -  
# check_smtp_forward not required

rcpt_ok
virus/pattern_filter check=patterns action=deny

tnef2mime

spamassassin reject_threshold 10 munge_subject_threshold 5
virus/clamav clamscan_path=/usr/bin/clamdscan action=reject max_size=25000000
queue/qmail-queue

_____________________________________________________________

NOTE: The email is checked with 11 plugins before it checked against the goodrcptto list and when it hits the goodrcptto plugin it checks each and every email address in the email slowing the system while more emails are coming in. With 100-300 emails every 5 mins it is causing qpsmtp to lockup forcing a reboot.

check_earlytalker
count_unrecognized_commands 4
check_relay
check_norelay
require_resolvable_fromhost
check_basicheaders
dnsbl
check_badmailfrom
check_badrcptto_patterns
check_badrcptto
check_spamhelo
check_goodrcptto extn -


NOTE: What I did was moved the goodrcptto plugin before the dnsbl to keep the system from wasting resources.

_____________________________________________________________

#------------------------------------------------------------
#              !!DO NOT MODIFY THIS FILE!!
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at http://wiki.contribs.org/development/
#
# Copyright (C) 1999-2006 Mitel Networks Corporation
#------------------------------------------------------------

auth/auth_cvm_unix_local cvm_socket /var/lib/cvm/cvm-unix-local.socket enable_sm
tp no enable_ssmtp yes
check_earlytalker
count_unrecognized_commands 4
# bcc disabled
check_relay
check_norelay

require_resolvable_fromhost
check_basicheaders
check_goodrcptto extn -
# rhsbl disabled
dnsbl
check_badmailfrom
check_badrcptto_patterns
check_badrcptto
check_spamhelo
# check_smtp_forward not required

rcpt_ok
virus/pattern_filter check=patterns action=deny

tnef2mime

spamassassin reject_threshold 10 munge_subject_threshold 5
virus/clamav clamscan_path=/usr/bin/clamdscan action=reject max_size=25000000
queue/qmail-queue

_____________________________________________________________

Does anyone think if this will case any issues with the system. While watching the /var/log/qpsmtpd/current - log I see that bouges emails are being denied before wasting resources.

On the same webpage it talks about dictionary attacks which the emails that are coming in looks like.

"To prevent dictionary attacks, the transmission channel is closed after the
number of bad recipients set in control/brtlimit or BRTLIMIT, two by default.
Repeated attempts from the same IPs may be handled by a cron that looks at the
logs and updates tcprules accordingly."

Does anyone know anything about "brtlimit" that it is talking about.


Thanks...

[piran]

Nice home work;~)
Maybe you make the life of the dictionary attacker easier though...
by sending back the invalid early? That BRTLIMIT thing (two by
default) seems to work. All such instances that used to occur here in
waves on my SME6 box now happen in no more than 2 on my SME7.
Sheer guess: BRTLIMIT (bad recipients tolerated limit?)

[alt-network]

Ray,

Thanks for your ideas and help. The I am looking into this issues I am finding that I am being hit by a mailbomb from random ipaddress. My sme6.5 is taking the hit but one of my customers who are on sme7 is being hit and causing the system to lockup.

I found that there is a added feature on the goodrctto plugin that will block the ipaddress of the server sending the mailbomb.

http://msgs.securepoint.com/cgi-bin/get/qmail0409/54/3.html

What do you think of this?

Do you have any Ideas for mailbomds?

[piran]

Depends on the flavour of the mailbomb?
Multiple attempts from same IP to invalid recipients on SME7 is already
covered as the link is just dropped. However individual attempts from
many IPs needs lots of processing... so turn off SA for the duration of
the mailbomb?

[gocdo]

Hi,

I have a 'similar' mail server setup. About 1500 email accounts for around 250 domains on a 6.5 box and I recently moved about 60 email accounts for 3 domains to a 7.0 box. All servers are identical 3Ghz boxes on raided 200GB disks with 2GB ram. The email servers are fairly bare in the extra contribs installed and both are pretty much the same. Yum updates are current.

Midmorning Tue 5th Dec, the 7.0 box suddenly died - not crash. Login took 30 minutes. Load was over 100 and swap was exhausted :-}. Had to be email since that is all that server was doing. Check showed no rootkits etc. Hundreds of qpsmtpd-fork processes. Contrast - the 6.5 box gets busy - load sometimes to about 5 - but it is still quite responsive.

Took about a week to resolve - fortunately with very patient customers. After considerable time digging (searching these forums is painful with the few search limit) and experimenting I moved the recipient ok check to the start of the qpsmtpd list, disabled spamassassin (SA) and clam checking, modified the smtpd connections to 10 and left the ip connections at 5. This reduced the load issue dramatically. I finally moved one domain back to one of the 6.5 boxes and performance on the 7.0 server is now acceptable. Thinking back, I didn't sufficiently test disabling the RBL lookups, this was probably causing the excessive time pre-processing the messages before rejecting or handing to qmail. Will try that as well.

Observation: the 6.5 system can cope with a far higher load while the 7.0 system was slightly better at reducing spam (when SA was enabled). The 6.5 box has sustained a long term average of around an email every two seconds (for months) while the 7.0 server seems to choke on a short term sustained rate of more than one every 5 to 10 seconds. The log files indicated the 7.0 server would hit the connection limit and limit processing, however, the connections would still be arriving with top and ps showing the qpsmtpd_fork process numbers would build up and hover around 100. Processing email would get progressively slower until POPing would timeout and no new mail was being delivered.

With a light email load, say, a message a minute or less and you wouldn't see the performance issues until an email bombing session starts.

Not sure I call these SME bugs - so have not logged it.

Regards
Kevin

[alt-network]

That is what has and still is happening to the setup I have. My sme 6.5 server is being hit with 6 emails every second which adds up to about 23,000 per day and is still running strong. But I am getting hit hard with spam that is getting past the SA. The sme 7 is getting hit with 1 to 3 each second and locking up.

I do think that it maybe the SA that is causing the issues in sme 7. I have been trying to find information about the control/brtlimit or BRTLIMIT patch that will block the ip of the sender if it happens more then twice but have not found any help with that without rewriting the goodrcptto plugin.

I am working with a programmer to find a way of intergrading this feature into a program that someone wrote as a concept for sme 5. I was able to rewrite it for sme 6.X and then for sme 7. What it does is if someone is attacking the server with a dictionary attack at ssh or just trying to get in, it will auto lock that ip for 15 days then after 15 days auto unlock it. It works great and I am looking into setting up a way to include this to block the mailbombs.

I think this will be the only way to get this under control; by not letting in the smtp servers that are being used for mailbombs.

[dmay]

I suggest you open a Bug Tracker ticket and report your issues and observations.

Darrell

[piran]

Depending on the profile of the mailbomb's botnet and on the way
they are programmed have you considered implementing greylisting?
http://forums.contribs.org/index.php?topic=33662.msg143786#msg143786
By then disabling SA you might not lock up so much and greylisting
may give you some breathing room to develop a working defense.

[alt-network]

I have found a qpsmtp plugin that will block the ip of the smtp server that is getting deny when sending emails to the sme 7 server. It is a plugin written just for this and would like help getting it working on sme7.

http://www.oreillynet.com/lpt/a/6167


I have the code installed but getting errors. I don't know perl very well and can't get it working.

Here is the code. Can any one help!

use NDBM_File;
use Fcntl;

sub init {
    my ($self, $qp, $filename, $threshold) = @_;
   
    tie my %h, 'NDBM_File', $filename, O_RDWR|O_CREAT, 0666
        or die "Unable to tie $filename: $!";
    $self->{dbm} = \%h;
    $self->{deny_threshold} = $threshold;
}

#!perl -w

sub hook_deny {
    my ($self, $transaction, $plugin, $level) = @_;
   
    # We're only interested in DENY or DENY_DISCONNECT
    unless ($level == DENY or $level == DENY_DISCONNECT) {
        return DECLINED;
    }
   
    return DECLINED if $plugin eq $self->plugin_name;
   
    # continued...

    my $ip = $self->connection->remote_ip;
    my $now = time;

    my $record = $self->{dbm}->{$ip};
    # Is this IP in the DB?
    if (!$record) {
        $self->{dbm}->{$ip} = pack("NN", 1, $now);
        return DECLINED;
    }
   
    my ($count, $tlast) = unpack("NN", $record);

    # Denied within the last 8 hours?
    if ($tlast < ($now - 28800)) {
        # Not denied in last 8 hours so just reset count.
        $self->{dbm}->{$ip} = pack("NN", 1, $now);
        return DECLINED;
    }
   
    # Now just update the count
    $self->{dbm}->{$ip} = pack("NN", $count+1, $now);
   
    return DECLINED;
}

sub hook_connect {
    my ($self, $transaction) = @_;
   
    my $ip = $self->connection->remote_ip;
    my $record = $self->{dbm}->{$ip} || return DECLINED;
    my ($count, $tlast) = unpack("NN", $record);
   
    # Ignore and delete entry if not denied in last 12 hours
    if ($tlast < (time - 43200)) {
        delete $self->{dbm}->{$ip};
        return DECLINED;
    }
   
    if ($count >= $self->{deny_threshold}) {
        return DENYSOFT, "You are a repeat offender. Go away";
    }
   
    return DECLINED;
}




I think this will be the answer for the mailbomb issues. Please check and let me what you think and if I can get help working on it.


The error I am getting is:

eval Can't locate NDM_File.pm in @INC

[cjensen]

You seem to be missing a perl-module:

NDBM_File.pm http://search.cpan.org/author/NWCLARK/perl-5.8.8/ext/NDBM_File/NDBM_File.pm

Do you have this perl-module installed?  

Code: [Select]

perldoc NDBM_File will return

Code: [Select]

No documentation found for "NDBM_File". if not installed.

This module is listed under Perl 5.8.8  SME 7.0 is 5.8.5


Craig Jensen