Re: [9fans] spam originating from a Plan 9 installation

Re: [9fans] spam originating from a Plan 9 installation

[David Presotto]

Yup, saveblockedmsg causes messages to get saved in the directory
/mail/queue.dump/<month><date>.

Re: [9fans] spam originating from a Plan 9 installation

[David Presotto]

[-- Attachment #1: Type: text/plain, Size: 93 bytes --]

I believe in queue.dump or some such, I'll have to look at the source, its all
bobf's stuff.

[-- Attachment #2: Type: message/rfc822, Size: 4137 bytes --]

From: mirtchov@cpsc.ucalgary.ca
To: 9fans@cse.psu.edu
Subject: Re: [9fans] spam originating from a Plan 9 installation
Date: Sun, 16 Nov 2003 11:52:45 -0700
Message-ID: <24083a5d85e5fe796a949845afcdb396@plan9.ucalgary.ca>

it's fixed now with a much more restrictive networks definition in
smtpd.conf.  in fact, i'm tempted to completely remove any machines
from my relay list, but i'm not sure this won't break anything, so
i've left only the machine running smtpd.

out of the whole thing, my logs are left with a pretty detailed list
of emails and businesses sending spam to them:

plan9% grep 'Bad Forward' smtpd | wc -l
    182
plan9%

and this is for the past 10 minutes since i turned smtpd back on!

here's how it looks like, so others will know what to look for in the
logs:

plan9 Nov 16 11:46:44 Bad Forward upbitchart.us!lilypye (mail.enddownstatus.us/136.159.139.8) (aol.com!marialices)
plan9 Nov 16 11:46:44 Bad Forward upbitchart.us!lilypye (mail.enddownstatus.us/136.159.139.8) (aol.com!smileyohio)
plan9 Nov 16 11:46:44 Bad Forward upbitchart.us!lilypye (mail.enddownstatus.us/136.159.139.8) (aol.com!rpiiibc)
plan9 Nov 16 11:46:44 Bad Forward upbitchart.us!lilypye (mail.enddownstatus.us/136.159.139.8) (aol.com!libertyagogo)
plan9 Nov 16 11:46:44 Bad Forward upbitchart.us!lilypye (mail.enddownstatus.us/136.159.139.8) (aol.com!janedugan)
plan9 Nov 16 11:46:44 Bad Forward upbitchart.us!lilypye (mail.enddownstatus.us/136.159.139.8) (aol.com!archiedorsman)
plan9 Nov 16 11:46:44 Bad Forward upbitchart.us!lilypye (mail.enddownstatus.us/136.159.139.8) (aol.com!edpm123)
plan9 Nov 16 11:46:44 Bad Forward upbitchart.us!lilypye (mail.enddownstatus.us/136.159.139.8) (aol.com!kitarou33)
plan9 Nov 16 11:46:44 Bad Forward upbitchart.us!lilypye (mail.enddownstatus.us/136.159.139.8) (aol.com!luckyduck132)
plan9 Nov 16 11:46:44 Bad Forward upbitchart.us!lilypye (mail.enddownstatus.us/136.159.139.8) (aol.com!frost3882)
plan9 Nov 16 11:46:44 Bad Forward upbitchart.us!lilypye (mail.enddownstatus.us/136.159.139.8) (aol.com!jmfdigiovanni)
plan9 Nov 16 11:46:44 Bad Forward upbitchart.us!lilypye (mail.enddownstatus.us/136.159.139.8) (aol.com!zaman90614)
plan9 Nov 16 11:46:44 Bad Forward upbitchart.us!lilypye (mail.enddownstatus.us/136.159.139.8) (aol.com!pfcnut)
plan9 Nov 16 11:46:44 Bad Forward upbitchart.us!lilypye (mail.enddownstatus.us/136.159.139.8) (aol.com!ambuler74)



cheers, and thanx for the help: andrey

ps: smtpd.conf has this:

	saveblockedmsg		on	#save blocked messages

where are those messages stored (i admit not looking for them very
thoroughly)?

Re: [9fans] spam originating from a Plan 9 installation

[mirtchov]

it's fixed now with a much more restrictive networks definition in
smtpd.conf.  in fact, i'm tempted to completely remove any machines
from my relay list, but i'm not sure this won't break anything, so
i've left only the machine running smtpd.

out of the whole thing, my logs are left with a pretty detailed list
of emails and businesses sending spam to them:

plan9% grep 'Bad Forward' smtpd | wc -l
    182
plan9%

and this is for the past 10 minutes since i turned smtpd back on!

here's how it looks like, so others will know what to look for in the
logs:

plan9 Nov 16 11:46:44 Bad Forward upbitchart.us!lilypye (mail.enddownstatus.us/136.159.139.8) (aol.com!marialices)
plan9 Nov 16 11:46:44 Bad Forward upbitchart.us!lilypye (mail.enddownstatus.us/136.159.139.8) (aol.com!smileyohio)
plan9 Nov 16 11:46:44 Bad Forward upbitchart.us!lilypye (mail.enddownstatus.us/136.159.139.8) (aol.com!rpiiibc)
plan9 Nov 16 11:46:44 Bad Forward upbitchart.us!lilypye (mail.enddownstatus.us/136.159.139.8) (aol.com!libertyagogo)
plan9 Nov 16 11:46:44 Bad Forward upbitchart.us!lilypye (mail.enddownstatus.us/136.159.139.8) (aol.com!janedugan)
plan9 Nov 16 11:46:44 Bad Forward upbitchart.us!lilypye (mail.enddownstatus.us/136.159.139.8) (aol.com!archiedorsman)
plan9 Nov 16 11:46:44 Bad Forward upbitchart.us!lilypye (mail.enddownstatus.us/136.159.139.8) (aol.com!edpm123)
plan9 Nov 16 11:46:44 Bad Forward upbitchart.us!lilypye (mail.enddownstatus.us/136.159.139.8) (aol.com!kitarou33)
plan9 Nov 16 11:46:44 Bad Forward upbitchart.us!lilypye (mail.enddownstatus.us/136.159.139.8) (aol.com!luckyduck132)
plan9 Nov 16 11:46:44 Bad Forward upbitchart.us!lilypye (mail.enddownstatus.us/136.159.139.8) (aol.com!frost3882)
plan9 Nov 16 11:46:44 Bad Forward upbitchart.us!lilypye (mail.enddownstatus.us/136.159.139.8) (aol.com!jmfdigiovanni)
plan9 Nov 16 11:46:44 Bad Forward upbitchart.us!lilypye (mail.enddownstatus.us/136.159.139.8) (aol.com!zaman90614)
plan9 Nov 16 11:46:44 Bad Forward upbitchart.us!lilypye (mail.enddownstatus.us/136.159.139.8) (aol.com!pfcnut)
plan9 Nov 16 11:46:44 Bad Forward upbitchart.us!lilypye (mail.enddownstatus.us/136.159.139.8) (aol.com!ambuler74)



cheers, and thanx for the help: andrey

ps: smtpd.conf has this:

	saveblockedmsg		on	#save blocked messages

where are those messages stored (i admit not looking for them very
thoroughly)?

Re: [9fans] spam originating from a Plan 9 installation

[andrey mirtchovski]

ok, I found the problem here -- a compromised machine somewhere on our
university network was using me as a relay.

my 'ournets' will be much more restricted now.

thanx, andrey

On Sun, 16 Nov 2003, David Presotto wrote:

Re: [9fans] spam originating from a Plan 9 installation

[David Presotto]

it's with your configuration.  all mail transiting your system is sent by none.

you want an smtpd config that disallows forwarding.  here's ours:

% cat /mail/lib/smtpd.conf
#
#	smtpd configuration options for external gateway
#	change verifysenderdom & saveblockedmsg when dirty converted
#

defaultdomain		plan9.bell-labs.com
norelay			on	#turn off relaying
verifysenderdom		on	#dns verification of sender domain
saveblockedmsg		on	#save blocked messages

#
#	networks that are allowed to relay through us
#
ournets		135.104.0.0/16		#mh
ournets		135.180.0.0/16		#ho
ournets		204.178.16.5/32		#www.bell-labs.com
ournets		204.178.16.6/32		#dirty.bell-labs.com
ournets		204.178.16.43/32	#www1.bell-labs.com
ournets		204.178.16.49/32	#crufty.research.bell-labs.com

#
#	domains that we will accept mail for
#	these must match the rewrite rules
#

ourdomains	*.lucent.com, *.bell-labs.com
ourdomains	[204.178.31.2]				#achille
ourdomains	ampl.com				#dmg
ourdomains	*.wavelet.org				#wim
ourdomains	closedmind.org				#presotto
ourdomains	huygens.org				#sape
ourdomains	mullender.nl				#sape

[9fans] spam originating from a Plan 9 installation

[mirtchov]

[-- Attachment #1: Type: text/plain, Size: 1713 bytes --]

I found this in /mail/queue/none after seeing the message being
rejected by aol's mail server.  The mail logs show that 'none' has
been able to send messages at least a few times:

home% cat smtp | grep none
plan9 Nov 15 20:37:25 moranpm (at) uprunsystem.com sent 3421 bytes to budmanone23 (at) aol.com, mdpascual (at) aol.com, nyanta13 (at) aol.com
plan9 Nov 16 05:49:12 mmtski (at) tealjim9.us sent 4025 bytes to eightfthogg2 (at) aol.com, jrl400 (at) aol.com, coachfxb (at) aol.com, quinonesd (at) aol.com, cheezliz8 (at) aol.com, falkra (at) aol.com, shpeka (at) aol.com
plan9 Nov 16 06:18:26 angell78 (at) anybizcorp.biz sent 2925 bytes to jjjjjstone (at) aol.com, mabaclstl (at) aol.com, fierwal (at) aol.com, powerforward22 (at) aol.com, greenone13 (at) aol.com
plan9 Nov 16 07:23:40 seabis (at) lowcomdata.net sent 3500 bytes to herbandalt (at) aol.com, fuzionone (at) aol.com, townflorist (at) aol.com, jdmlimited (at) aol.com, lilyzryder80 (at) aol.com
plan9 Nov 16 08:44:32 burkemay (at) webrunstatus.biz sent 2355 bytes to dki63 (at) aol.com, valpodad (at) aol.com, plucsious (at) aol.com, mshsurvey (at) aol.com, dohito (at) aol.com, nonesa (at) aol.com, rcl1011 (at) aol.com
home%


but I still have time before I'm thrown in the blacklists on all mail
servers.

how do I fix this?  has anyone else experienced it, or is it a problem
with my configuration?

note, the emails are modified (@->at) to protect the innocent, and the
body of the spam message isn't attached, just the header and the
error.

I ran 'history' on the logs to see if any previous months show
successful spam delivery but there's nothing in there since june,
which is how far my venti goes.

andrey

[-- Attachment #2.1: Type: text/plain, Size: 308 bytes --]

The following attachment had content that we can't
prove to be harmless.  To avoid possible automatic
execution, we changed the content headers.
The original header was:

	Content-Disposition: attachment; filename=C.029885
	Content-Type: text/plain; charset="US-ASCII"
	Content-Transfer-Encoding: 7bit

[-- Attachment #2.2: C.029885.suspect --]
[-- Type: application/octet-stream, Size: 101 bytes --]

mail lowdowncomp.us!wildcat7 net!aol.com aanecessary8 nikeadict machi1313 groupstein theboss155 psci7

[-- Attachment #3.1: Type: text/plain, Size: 308 bytes --]

The following attachment had content that we can't
prove to be harmless.  To avoid possible automatic
execution, we changed the content headers.
The original header was:

	Content-Disposition: attachment; filename=E.029885
	Content-Type: text/plain; charset="US-ASCII"
	Content-Transfer-Encoding: 7bit

[-- Attachment #3.2: E.029885.suspect --]
[-- Type: application/octet-stream, Size: 101 bytes --]

Sun Nov 16 09:27:59 MST 2003 connect to net!aol.com:
connection closed unexpectedly by remote system