Hi! I am "Newbie", using SuSE 9.1. DSL from T-Online. Xmain Evolution 1.4.6. Last weeks, I am experiencing mails from unknown people to my email-adresses. Sometimes two or three mails within a few seconds. These are accounts with T-Online, Ginko, Web.de. I looks as "they" knew all may emailadresses. I'm asking myself, if there is a general(?) procedure how to get rid off these potential parasites? These scheme should follow these steps: - analyse - evaluation - proof of solution QUESTIONS: 1.) Is there a (simple?) way to deciffer... 1.a) who is doing what on my system, 1.b) how do they come there 2.) Does anybody know, how I can "clean" my system, in ideal case without changing Email-Adresses (printed an business cards). Thereby, I mean: how can I reject unwanted mail? A simple "How-To", Tutorial or so preferable. 3.) For future, I like to prevent from re-establishing those trash-mails again: how can I prevent unknown people from using "my adresse"? 3.a) My fear is, that my emails addresses "travel" uncontrolled. Is there a way to control? (I know, this seems to be naiv) 3.b) How can I reject unwanted mail? 3.c) Do I need to create positive liste following the thought: who may send me an email (filtering)? A simple "How-To", Tutorial or so preferable for the above mentioned questions. Thank you for all useful hints! (P.S.: as I said: I am newbie) -- Dr. Axel Krebs <Axel.Krebs@T-Online.de>
Dr. Axel Krebs ----- Original Message ----- From: "Dr. Axel Krebs" <Axel.Krebs@T-Online.de> To: <suse-security@suse.com> Sent: Saturday, May 14, 2005 12:40 AM Subject: [suse-security] cracked system?
Hi!
I am "Newbie", using SuSE 9.1.
So am I!
DSL from T-Online. Xmain Evolution 1.4.6.
Last weeks, I am experiencing mails from unknown people to my email-adresses. Sometimes two or three mails within a few seconds. These are accounts with T-Online, Ginko, Web.de. I looks as "they" knew all may emailadresses.
I've read in the clamav mailing list, that it might be Sober.P So instead of virus spewing zombies, the infected PCs are now probably spam spewing zombies, or waiting for something to turn them into spam zombies. That might be the wrong list. I'm in about 9 mailing lists. Please don't quote me.
I'm asking myself, if there is a general(?) procedure how to get rid off these potential parasites?
These scheme should follow these steps: - analyse - evaluation - proof of solution
Try chrootkit and rkhunter. Tripwire is the best for evaluation. A snapshot. If all else fails...Reinstall or take a wooden baseball bat to the monitor.
QUESTIONS: 1.) Is there a (simple?) way to deciffer... 1.a) who is doing what on my system, 1.b) how do they come there
ANSWERS: 1.) ethereal 1.a) type w at the command line 1.b) You let them in. Clickin' on links or trojan programs. Monitor your internet facing firewall. Deny all, then poke pin-holes.
2.) Does anybody know, how I can "clean" my system, in ideal case without changing Email-Adresses (printed an business cards).
Thereby, I mean: how can I reject unwanted mail?
Why reject? That means your email is active to spammers. Try spamassin.
A simple "How-To", Tutorial or so preferable.
3.) For future, I like to prevent from re-establishing those trash-mails again: how can I prevent unknown people from using "my adresse"?
Get a spam account like mine for the internet and keep your private email addr3ss for business only.
3.a) My fear is, that my emails addresses "travel" uncontrolled. Is there a way to control? (I know, this seems to be naiv)
Look into pgp (pretty good privacy) or gnupgp Sign or encrypt you emails.
3.b) How can I reject unwanted mail?
3.c) Do I need to create positive liste following the thought: who may send me an email (filtering)?
A simple "How-To", Tutorial or so preferable for the above mentioned questions.
Thank you for all useful hints!
(P.S.: as I said: I am newbie)
Again, me too. I'm not tryin' to flame, just answering you e-mail. This is how *we* do it on the west side of the pond. Krack
-- Dr. Axel Krebs <Axel.Krebs@T-Online.de>
The Saturday 2005-05-14 at 07:40 +0200, Dr. Axel Krebs wrote:
Last weeks, I am experiencing mails from unknown people to my email-adresses. Sometimes two or three mails within a few seconds. These are accounts with T-Online, Ginko, Web.de. I looks as "they" knew all may emailadresses.
Welcome to the club: you are being spammed. I have also recently seen the same spam sent to several of my addresses, even some that I very seldom use, only in private. They may come within minutes or days. "They" are expert at getting email addresses from many sources. For example, one of your correspondents using windows may get a virus, and that virus sends lots of emails using the whole address-book. Or it may silently send his address-book to a spammer server somewhere. They can harvest addresses from any web site, mail-list, news server, whatever they can reach... And the may simply get a mail server host name, and launch a dictionary type attack, sending emails to all names it can guess that might exist on that server. If you make the error of bouncing an email, then they know that that address does exist... and you are a sitting duck in the middle of duck hunting season :-p
I'm asking myself, if there is a general(?) procedure how to get rid off these potential parasites?
Use anti spam filters, like spamassassin.
QUESTIONS: 1.) Is there a (simple?) way to deciffer... 1.a) who is doing what on my system,
No. Unless you are the unexistent internet police... If you have lots resources (ie, money, power, and influences), you can investigate, track, and perhaps, sue them. Chances are they are not in your same country. Or you can convince the politicians at many countries to take a real stance against spam... dreams are free.
1.b) how do they come there
I don't think you machine has been compromised. Those email accounts do not even reside on your machine, if I understood correctly your setup. The same as my email accounts.
2.) Does anybody know, how I can "clean" my system, in ideal case without changing Email-Adresses (printed an business cards).
Thereby, I mean: how can I reject unwanted mail?
Don't ever "reject", then you are busted. Simply throw them to the garbage.
A simple "How-To", Tutorial or so preferable.
3.) For future, I like to prevent from re-establishing those trash-mails again: how can I prevent unknown people from using "my adresse"?
Impossible :-/
3.a) My fear is, that my emails addresses "travel" uncontrolled. Is there a way to control? (I know, this seems to be naiv)
Impossible.
3.b) How can I reject unwanted mail?
Don't! Simply delete or move them. Never use "reject".
3.c) Do I need to create positive liste following the thought: who may send me an email (filtering)?
Some do. There is a method (commercial?) that requires you manually identify yourself the first time you email a particular business address. I forgot the name of the system.
A simple "How-To", Tutorial or so preferable for the above mentioned questions.
The spamassassin site should be a good starting point.
(P.S.: as I said: I am newbie)
I see ;-) -- Cheers, Carlos Robinson
Carlos E. R. wrote:
Thereby, I mean: how can I reject unwanted mail?
Don't ever "reject", then you are busted. Simply throw them to the garbage.
[...]
3.b) How can I reject unwanted mail?
Don't! Simply delete or move them. Never use "reject".
Q: Can I delete SPAM and reject NON-SPAM misspelled mail addresses ? The problem I have found is that bussines people don't want their customers to miss them! I believe that many of you need to handle virtuals like jd jdoe johndoe john_doe john.doe doej doejohn doe_john all pointing to the same account, but they also want rejects to be sent to the sender so they know that the mail didn't reach the intended recipient... all of which is true and valid without spam. Is it possible to handle both things smoothly? regards Ariel
The Monday 2005-05-16 at 05:57 -0300, Ariel Sabiguero Yawelak wrote:
Don't! Simply delete or move them. Never use "reject".
Q: Can I delete SPAM and reject NON-SPAM misspelled mail addresses ?
The problem I have found is that bussines people don't want their customers to miss them! I believe that many of you need to handle virtuals like
That's a different case from the original poster's, he is not running his own mail service (smtp server). In that case, postfix, sendmail, qmail, whatever, will usually reject wrong addresses. Also, wrong user part addresses (before the @) can be forwarded to a catchall username. That's different from a user running SA rejecting email: his own address will be on the rejection slip, so he is on one hand saying that address A does not exist, and on the other using the same address A to send that! He might as well post a 'spam me' notice worldwide, would be more "effective".
jd jdoe johndoe john_doe john.doe doej doejohn doe_john
all pointing to the same account, but they also want rejects to be sent to the sender so they know that the mail didn't reach the intended recipient... all of which is true and valid without spam. Is it possible to handle both things smoothly?
Uff. It the mail volume is small, you can forward all those to a catchall address, then have somebody scan them and forward to the appropriate person - with a good spam filter. Or simply return a "unknown user" or "unknown address" return code, and have the originator think again and use the correct address. This is the typical method, more practical. Notice that when the smtp server rejects an email, it is [usually] before getting the contents of the email. There is no chance to analyze if it is a virus or spam, it is rejected in the negotiation phase. -- Cheers, Carlos Robinson
On Mon, 2005-05-16 at 05:57 -0300, Ariel Sabiguero Yawelak wrote:
The problem I have found is that bussines people don't want their customers to miss them! I believe that many of you need to handle virtuals like
jd jdoe johndoe john_doe john.doe doej doejohn doe_john
all pointing to the same account, but they also want rejects to be sent to the sender so they know that the mail didn't reach the intended recipient... all of which is true and valid without spam. Is it possible to handle both things smoothly?
Taking care of black and whitelists of this kind could be very labour intensive. In my opinion there's no single approach to fight effectively against SPAM. Andres
On Monday 16 May 2005 01:57, Ariel Sabiguero Yawelak wrote:
Q: Can I delete SPAM and reject NON-SPAM misspelled mail addresses ?
As spammers are getting more and more intelligent, differentiating spam and legitimate e-mail becomes more difficult, too. Technically, you may be able to do this in the future (given software patents are abolished and popular frameworks for countering spam actually become free) using SPF (Sender Policy Framework), which, simply put, registers all sending MTAs for a given domain in that domain's DNS records, so you can trivially check if you're getting the message from a MTA that actually is authorized to send e-mail with return path from that domain. However, right now, there is a shadow of doubt over whether this will ever become a real standard that everyone will follow (of course, that would be beautiful).
The problem I have found is that bussines people don't want their customers to miss them! I believe that many of you need to handle virtuals like
jd jdoe johndoe john_doe john.doe doej doejohn doe_john
all pointing to the same account, but they also want rejects to be sent to the sender so they know that the mail didn't reach the intended recipient... all of which is true and valid without spam. Is it possible to handle both things smoothly?
One of the best technologies for fighting spam on large e-mail systems or on systems with catch-all mailboxes (that receive all mail destined to a specific domain that didn't match valid addresses) I have seen to date is greylisting. The idea is quite simple: you temporarily reject *all* e-mail from every SMTP client you haven't spoken to in a while (excluding the obvious ones, e.g. your own networks and secondary SMTP servers and such) with an error code of 4xx, which means the sending MTA will try to deliver the message again within a few minutes. This puts some burden on the sending party's resources, because they have to requeue the e-mail and send it again at a later time, and most spammers don't want to do this. They definitely will, eventually, but today, this still works very well. This also means some legitimate e-mail will be a few minutes late, but that isn't as bad as your machine having to eat through thousands of spams every hour just to drop them on the floor, or even some of these getting through to your customer's inbox. For a specific greylisting implementation for your MTA, try google. Another possibility is postfix's policy daemon and sender address verification, which are usually very costly (and therefore only applicable to smaller e-mail systems). These two enable postfix not to bounce e-mail, but reject it outright (so your system will very seldom have to generate a bounce to a spam), but of course this means eating up a lot of resources, because you have to be able to check whether an e-mail is legitimate or not, rather quickly. Furthermore, sender address verification may not work for all MTAs out there, so some legitimate mail may be unjustly rejected (however, this still sticks to the RFCs because it does generate an error on the sending MTA, instead of silently throwing it away, which is what most big systems are forced to do because of the magnitude of spam e-mails they receive). -- Jure Koren, n.i.
As spammers are getting more and more intelligent, differentiating spam and legitimate e-mail becomes more difficult, too. Technically, you may be able to do this in the future (given software patents are abolished and popular frameworks for countering spam actually become free) using SPF (Sender Policy Framework),
which, simply put, registers all sending MTAs for a given domain in that domain's DNS records, so you can trivially check if you're getting the message from a MTA that actually is authorized to send e-mail with return path from that domain. However, right now, there is a shadow of doubt over whether this will ever become a real standard that everyone will follow (of course, that would be beautiful).
The company I work for at the moment (Mimecast) does all of this. http://mail2.mimecast.co.za/mimecast/click?code=6e1851b5400f7786639a08bd7bd8 1caf We use Greylisting, Reputation Management, SPF, RBL's, Challenge Response, and NO QUARANTINES. We donated our work on the Java libs for SPF to the Opensource community (can be found at Sourceforge), because the database and anti-virus engines we use are Opensource. SPF, coupled with Greylisting and RBL's is a GREAT way to manage spam. On the 2nd of May (when sober.o hit) our customers went through huge greylist rejection increases. One customer went from circa 5000 rejections on average per day to 25000 rejections on the 2nd alone. Not one of these virus laden messages actually had to be scanned by Clam as we reject prior to the smtp data command. Our product is not free, but it also does not cost a fortune. Barry
Hello, Am Montag, 16. Mai 2005 22:25 schrieb Jure Koren:
On Monday 16 May 2005 01:57, Ariel Sabiguero Yawelak wrote: [methods against spam] using SPF (Sender Policy Framework), which, simply put, registers all sending MTAs for a given domain in that domain's DNS records, so you can trivially check if you're getting the message from a MTA that actually is authorized to send e-mail with return path from that domain. However, right now, there is a shadow of doubt over whether this will ever become a real standard that everyone will follow (of course, that would be beautiful).
I'm not sure if I really want SPF... I like to use one SMTP server for all my mail adresses - most are @cboltz.de (which is the server I use for sending mails), but I also have adresses @web.de and @nexgo.de. GMX already classifies my mails with From: ...@web.de as spam because I don't use the web.de SMTP server. Hey, cboltz.de is definitively not an open relay and has a static IP, so where's the problem? Additionally, I've seen statistics that spammers use SPF more often than "good" mail servers. (Sorry, I don't remember the URL.) So: Sorry, SPF won't make things better, only more difficult. Using Blacklists of open relays and dial-up IPs seems to be a more useful way. [greylisting]
The idea is quite simple: you temporarily reject *all* e-mail from every SMTP client you haven't spoken to in a while [...]
Greylisting sounds good, at least for blocking viruses. (Don't ask me if it really helps blocking spam, but I don't think so :-( Regards, Christian Boltz -- what does "> /dev/null" mean? and how do i reverse it? would "< /dev/null" be right? [aus comp.unix.shell]
I like to use one SMTP server for all my mail adresses - most are @cboltz.de (which is the server I use for sending mails), but I also have adresses @web.de and @nexgo.de.
Apparently (looking at the headers of your message), you're using KMail as a MUA. It is quite capable of handling different outgoing SMTP servers, so the only reason why not to use this, is if you have no way to deliver messages from your IP address to the relayhost (smarthost) of your ISP. If GMX requires you to use their mailservers for outbound mail, they probably also provide you with a way to use them.
GMX already classifies my mails with From: ...@web.de as spam because I don't use the web.de SMTP server. Hey, cboltz.de is definitively not an open relay and has a static IP, so where's the problem?
Their policy is that you have to use a specific IP range (their outgoing mailservers?) to send mail. At least that is what their SPF record says. gmx.de. TXT IN 300 "v=spf1 ip4:213.165.64.0/23 -all" If you're IP address is not within that range, you're 'violating' their policy and your messages may get rejected. Simply put, you have to abide by their rules or else your messages may be flagged as spam by some systems. And apparently are rejected by GMX themselves.
Additionally, I've seen statistics that spammers use SPF more often than "good" mail servers. (Sorry, I don't remember the URL.) So: Sorry, SPF won't make things better, only more difficult.
"SPF is not designed to prevent spam, it is designed to prevent forgery." You need to read up on SPF, since you clearly don't have *really* understood what it is. In fact, the SPF crowd applauds the use of SPF records by spammers.
On May 16, Christian Boltz <suse-security@cboltz.de> wrote:
I'm not sure if I really want SPF...
I like to use one SMTP server for all my mail adresses - most are @cboltz.de (which is the server I use for sending mails), but I also have adresses @web.de and @nexgo.de. GMX already classifies my mails with From: ...@web.de as spam because I don't use the web.de SMTP server. Hey, cboltz.de is definitively not an open relay and has a static IP, so where's the problem?
You send mail from an IP that clearly does not belong to the owner of that domain. This is the major problem with email: Everyone can send from everywhere with every address. SPF is an attempt to solve that. In your case, you could use a transport table entry in your mail server and send all gmx mails to gmx and still use your server as central mail sending hub.
[greylisting]
The idea is quite simple: you temporarily reject *all* e-mail from every SMTP client you haven't spoken to in a while [...]
Greylisting sounds good, at least for blocking viruses. (Don't ask me if it really helps blocking spam, but I don't think so :-(
Greylisting has helped me a LOT, except for nigeria connection type spam, because they (ab)use public webmail services. Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus(at)gaugusch.at X Against HTML Mail / \
Markus Gaugusch schreef:
In your case, you could use a transport table entry in your mail server and send all gmx mails to gmx and still use your server as central mail sending hub.
That won't work in many cases, since transport tables usually work based on the recipient address and not the sender address (which is what you need in case your MTA has multiple upstream relays). Postfix apparently has a configuration parameter (I forgot the name and have no time now to search for it) to reverse the meaning of the transport table, but the author recommends strongly against using it. The best solution to this problem is to configure the upstream accounts in a MUA and not a MTA. If you really feel the need to run an MTA with multiple upstream relays, a tool called 'esmtp' (http://esmtp.sourceforge.net/) may be of help. It will allow you to configure multiple upstream hosts, depending on the sender address instead of the recipient address as in the Postfix 'transport' table. Configuration examples for commonly used MTA's are included in the package.
participants (10)
-
Andres tarallo -
Ariel Sabiguero Yawelak -
Arjen de Korte -
Barry Gill -
Carlos E. R. -
Christian Boltz -
Dr. Axel Krebs -
eddie_krack -
Jure Koren -
Markus Gaugusch