[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Re: cobalt-security digest, Vol 1 #1101 - 3 msgs
- Subject: Re: [cobalt-security] Re: cobalt-security digest, Vol 1 #1101 - 3 msgs
- From: "Dave @ The Hostworks" <dave@xxxxxxxxxxxxxxxx>
- Date: Thu, 27 Feb 2003 11:50:38 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
OS Restore.
----- Original Message -----
From: "paulo.cabral" <paulo.cabral@xxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Thursday, February 27, 2003 10:42 AM
Subject: [cobalt-security] Re: cobalt-security digest, Vol 1 #1101 - 3 msgs
> My cobalt model Raq - 4 has lost the directory SBIN
> After it lost its directory. It doesn't reboot and on the display screen
in
> lcd kernel loading.
> I copied S-BIN from another COBALt, but did not work. I also tried a
ghost
> from another cobalt, but I could not sort the problem.
> If you have any idea, how to solve this!
> Please e-mail me.
> I will appreciate your help.
>
>
> ----- Original Message -----
> From: <cobalt-security-request@xxxxxxxxxxxxxxx>
> To: <cobalt-security@xxxxxxxxxxxxxxx>
> Sent: Wednesday, February 26, 2003 5:00 PM
> Subject: cobalt-security digest, Vol 1 #1101 - 3 msgs
>
>
> > Send cobalt-security mailing list submissions to
> > cobalt-security@xxxxxxxxxxxxxxx
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > http://list.cobalt.com/mailman/listinfo/cobalt-security
> > or, via email, send a message with subject or body 'help' to
> > cobalt-security-request@xxxxxxxxxxxxxxx
> >
> > You can reach the person managing the list at
> > cobalt-security-admin@xxxxxxxxxxxxxxx
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of cobalt-security digest..."
> >
> >
> > Today's Topics:
> >
> > 1. spoofed spam slipping through pop before relay? (David Black)
> > 2. Re: spoofed spam slipping through pop before relay? (Rashid
> Abdullah)
> > 3. RE: spoofed spam slipping through pop before relay? (aljuhani)
> >
> > --__--__--
> >
> > Message: 1
> > From: "David Black" <DavidBlack@xxxxxxxxxxxxxxxxxxxxxxxx>
> > To: <cobalt-security@xxxxxxxxxxxxxxx>
> > Date: Tue, 25 Feb 2003 18:38:38 -0600
> > Organization: SiteDesignAndHosting.com
> > Subject: [cobalt-security] spoofed spam slipping through pop before
relay?
> > Reply-To: cobalt-security@xxxxxxxxxxxxxxx
> >
> > I think someone is relaying spam through our servers, by spoofing
> > their originating IP, so the spam appears to come from one of my
> > legitimate hosting customers' home IP addresses.
> >
> > I've noticed a repeating pattern of short bursts, similar to the events
> > listed below... which seem to last from 2 - 5 minutes each. Since my
> > up-to-date RaQ4 includes pop-before-relay (with a 5 minute window),
> > I'm wondering if the spoofer is randomly catching my customer's
> > relay window, then exploiting it, by spoofing my customer's IP. (?)
> >
> > I'd be very grateful if anyone with relevant expertise or experience
> > would share some information with me (and the rest of the list).
> > Thank you all very much, for your valuable time and knowledge.
> > I'd be lost without you :·)
> >
> > Sincerely,
> > --
> > David Black
> > Houston, TX
> >
> > suspicious maillog events follow...
> >
> > Feb 25 14:03:11 www sendmail[18401]: h1PK3Ab18401:
> > from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA,
> > relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]
> >
> >
> > ('size=0' repeats 77 times between 14:03:11 and 14:04:09)
> >
> >
> > Feb 25 14:04:09 www sendmail[18874]: h1PK48b18874:
> > from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA,
> > relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]
> >
> > Feb 25 14:04:14 www sendmail[18876]: h1PK4Db18876:
> > from=<>, size=2649, class=0, nrcpts=1,
> > msgid=<200302251503.HTW7030@xxxxxxxxxxx>,
> > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net
> [xx.xx.xxx.xxx]
> >
> > Feb 25 14:04:14 www sendmail[18879]: h1PK4Eb18879:
> > from=<>, size=2571, class=0, nrcpts=1,
> > msgid=<200302251503.XQZ4704@xxxxxxxxxxx>,
> > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net
> [xx.xx.xxx.xxx]
> >
> > Feb 25 14:04:15 www sendmail[18882]: h1PK4Fb18882:
> > from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA,
> > relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]
> >
> > Feb 25 14:04:15 www sendmail[18883]: h1PK4Fb18883:
> > from=<>, size=2901, class=0, nrcpts=1,
> > msgid=<200302251503.VWE11193@xxxxxxxxxxx>,
> > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net
> [xx.xx.xxx.xxx]
> >
> >
> > (119 lines - snipped - similar pattern: 1 or 2 'size=0', then 1 or 2
> > successful relays)
> >
> >
> > Feb 25 14:05:13 www sendmail[19525]: h1PK5Cb19525:
> > from=<>, size=2842, class=0, nrcpts=1,
> > msgid=<200302251503.QRH781@xxxxxxxxxxx>,
> > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net
> [xx.xx.xxx.xxx]
> >
> >
> > (108 more successful relays - snipped - )
> >
> >
> > Feb 25 14:06:47 www sendmail[20347]: h1PK6lb20347:
> > from=<>, size=2790, class=0, nrcpts=1,
> > msgid=<200302251503.RVA7016@xxxxxxxxxxxx>,
> > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net
> [xx.xx.xxx.xxx]
> >
> > (this (above) was the last related event, for several hours)
> >
> >
> > --__--__--
> >
> > Message: 2
> > From: "Rashid Abdullah" <webmaster@xxxxxxxxxxx>
> > To: <cobalt-security@xxxxxxxxxxxxxxx>
> > Subject: Re: [cobalt-security] spoofed spam slipping through pop before
> relay?
> > Date: Tue, 25 Feb 2003 14:52:42 -1000
> > Reply-To: cobalt-security@xxxxxxxxxxxxxxx
> >
> > David,
> >
> > Read this page (http://www.solarspeed.net/kb/659.php) and pay attention
to
> > the mention of Formmail.pl. I think this may solve your problem, it did
> it
> > for me.
> >
> > -Rashid
> > ----- Original Message -----
> > From: "David Black" <DavidBlack@xxxxxxxxxxxxxxxxxxxxxxxx>
> > To: <cobalt-security@xxxxxxxxxxxxxxx>
> > Sent: Tuesday, February 25, 2003 2:38 PM
> > Subject: [cobalt-security] spoofed spam slipping through pop before
relay?
> >
> >
> > > I think someone is relaying spam through our servers, by spoofing
> > > their originating IP, so the spam appears to come from one of my
> > > legitimate hosting customers' home IP addresses.
> > >
> > > I've noticed a repeating pattern of short bursts, similar to the
events
> > > listed below... which seem to last from 2 - 5 minutes each. Since my
> > > up-to-date RaQ4 includes pop-before-relay (with a 5 minute window),
> > > I'm wondering if the spoofer is randomly catching my customer's
> > > relay window, then exploiting it, by spoofing my customer's IP. (?)
> > >
> > > I'd be very grateful if anyone with relevant expertise or experience
> > > would share some information with me (and the rest of the list).
> > > Thank you all very much, for your valuable time and knowledge.
> > > I'd be lost without you :·)
> > >
> > > Sincerely,
> > > --
> > > David Black
> > > Houston, TX
> > >
> > > suspicious maillog events follow...
> > >
> > > Feb 25 14:03:11 www sendmail[18401]: h1PK3Ab18401:
> > > from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA,
> > > relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]
> > >
> > >
> > > ('size=0' repeats 77 times between 14:03:11 and 14:04:09)
> > >
> > >
> > > Feb 25 14:04:09 www sendmail[18874]: h1PK48b18874:
> > > from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA,
> > > relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]
> > >
> > > Feb 25 14:04:14 www sendmail[18876]: h1PK4Db18876:
> > > from=<>, size=2649, class=0, nrcpts=1,
> > > msgid=<200302251503.HTW7030@xxxxxxxxxxx>,
> > > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net
> > [xx.xx.xxx.xxx]
> > >
> > > Feb 25 14:04:14 www sendmail[18879]: h1PK4Eb18879:
> > > from=<>, size=2571, class=0, nrcpts=1,
> > > msgid=<200302251503.XQZ4704@xxxxxxxxxxx>,
> > > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net
> > [xx.xx.xxx.xxx]
> > >
> > > Feb 25 14:04:15 www sendmail[18882]: h1PK4Fb18882:
> > > from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA,
> > > relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]
> > >
> > > Feb 25 14:04:15 www sendmail[18883]: h1PK4Fb18883:
> > > from=<>, size=2901, class=0, nrcpts=1,
> > > msgid=<200302251503.VWE11193@xxxxxxxxxxx>,
> > > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net
> > [xx.xx.xxx.xxx]
> > >
> > >
> > > (119 lines - snipped - similar pattern: 1 or 2 'size=0', then 1 or 2
> > > successful relays)
> > >
> > >
> > > Feb 25 14:05:13 www sendmail[19525]: h1PK5Cb19525:
> > > from=<>, size=2842, class=0, nrcpts=1,
> > > msgid=<200302251503.QRH781@xxxxxxxxxxx>,
> > > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net
> > [xx.xx.xxx.xxx]
> > >
> > >
> > > (108 more successful relays - snipped - )
> > >
> > >
> > > Feb 25 14:06:47 www sendmail[20347]: h1PK6lb20347:
> > > from=<>, size=2790, class=0, nrcpts=1,
> > > msgid=<200302251503.RVA7016@xxxxxxxxxxxx>,
> > > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net
> > [xx.xx.xxx.xxx]
> > >
> > > (this (above) was the last related event, for several hours)
> > >
> > > _______________________________________________
> > > cobalt-security mailing list
> > > cobalt-security@xxxxxxxxxxxxxxx
> > > http://list.cobalt.com/mailman/listinfo/cobalt-security
> > >
> >
> >
> > --__--__--
> >
> > Message: 3
> > Date: Wed, 26 Feb 2003 10:21:39 +0300
> > From: "aljuhani" <aljuhani@xxxxxxxxx>
> > To: <cobalt-security@xxxxxxxxxxxxxxx>
> > Subject: RE: [cobalt-security] spoofed spam slipping through pop before
> relay?
> > Reply-To: cobalt-security@xxxxxxxxxxxxxxx
> >
> > Hello,
> >
> > Situation could be that as your Client having a DSL connection
> > with a static IP address, They:
> >
> > Have an Exchange Server for email that relay ougoing email
> > to the Internet through your SMTP service as thier domain is
> > hosted on your server.
> >
> > -What is happening-
> >
> > Thier Mail Exchanger or whatever mail server have an Open
> > Relay SMTP. If that is the case, then a spammer will only need
> > thier static IP and use it as SMTP gateway and therefore your
> > server is acceping these messages as your Client Server I think
> > is doing POP before SMTP (i.e checking email before sending any
> > outgoing message).
> >
> > -Solution-
> >
> > There is no solution for this from your side other than blocking
> > your client or individual emails. Your client has to apply
> > Pop before SMTP or SMTP Access Limitation to his mail server.
> >
> > In your message you masked the dsl IP of your client but
> > anyway just to verify you can test thier IP address if
> > open relay using telnet or from this website
> > http://www.abuse.net/relay.html .
> >
> > Regards,
> > Al-Juhani
> > aljuhani@xxxxxxxxx'
> >
> > ==Original Message==
> >
> > David Black cobalt-security@xxxxxxxxxxxxxxx
> > Tue, 25 Feb 2003 18:38:38 -0600
> >
> > I think someone is relaying spam through our servers, by spoofing
> > their originating IP, so the spam appears to come from one of my
> > legitimate hosting customers' home IP addresses.
> >
> > I've noticed a repeating pattern of short bursts, similar to the events
> > listed below... which seem to last from 2 - 5 minutes each. Since my
> > up-to-date RaQ4 includes pop-before-relay (with a 5 minute window),
> > I'm wondering if the spoofer is randomly catching my customer's
> > relay window, then exploiting it, by spoofing my customer's IP. (?)
> >
> > I'd be very grateful if anyone with relevant expertise or experience
> > would share some information with me (and the rest of the list).
> > Thank you all very much, for your valuable time and knowledge.
> > I'd be lost without you :·)
> >
> > Sincerely,
> > --
> > David Black
> > Houston, TX
> >
> > suspicious maillog events follow...
> >
> > Feb 25 14:03:11 www sendmail[18401]: h1PK3Ab18401:
> > from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA,
> > relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]
> >
> >
> > ('size=0' repeats 77 times between 14:03:11 and 14:04:09)
> >
> >
> > Feb 25 14:04:09 www sendmail[18874]: h1PK48b18874:
> > from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA,
> > relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]
> >
> > Feb 25 14:04:14 www sendmail[18876]: h1PK4Db18876:
> > from=<>, size=2649, class=0, nrcpts=1,
> > msgid=<200302251503.HTW7030@xxxxxxxxxxx>,
> > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net
> [xx.xx.xxx.xxx]
> >
> > Feb 25 14:04:14 www sendmail[18879]: h1PK4Eb18879:
> > from=<>, size=2571, class=0, nrcpts=1,
> > msgid=<200302251503.XQZ4704@xxxxxxxxxxx>,
> > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net
> [xx.xx.xxx.xxx]
> >
> > Feb 25 14:04:15 www sendmail[18882]: h1PK4Fb18882:
> > from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA,
> > relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]
> >
> > Feb 25 14:04:15 www sendmail[18883]: h1PK4Fb18883:
> > from=<>, size=2901, class=0, nrcpts=1,
> > msgid=<200302251503.VWE11193@xxxxxxxxxxx>,
> > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net
> [xx.xx.xxx.xxx]
> >
> >
> > (119 lines - snipped - similar pattern: 1 or 2 'size=0', then 1 or 2
> > successful relays)
> >
> >
> > Feb 25 14:05:13 www sendmail[19525]: h1PK5Cb19525:
> > from=<>, size=2842, class=0, nrcpts=1,
> > msgid=<200302251503.QRH781@xxxxxxxxxxx>,
> > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net
> [xx.xx.xxx.xxx]
> >
> >
> > (108 more successful relays - snipped - )
> >
> >
> > Feb 25 14:06:47 www sendmail[20347]: h1PK6lb20347:
> > from=<>, size=2790, class=0, nrcpts=1,
> > msgid=<200302251503.RVA7016@xxxxxxxxxxxx>,
> > proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net
> [xx.xx.xxx.xxx]
> >
> > (this (above) was the last related event, for several hours)
> >
> >
> >
> > --__--__--
> >
> > _______________________________________________
> > cobalt-security mailing list
> > cobalt-security@xxxxxxxxxxxxxxx
> > http://list.cobalt.com/mailman/listinfo/cobalt-security
> >
> >
> > End of cobalt-security Digest
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>