EMERGENCY - need to secure my server against an ongoing SPAMMER
Bob Brennan
rbrennan96 at gmail.com
Fri Mar 11 11:01:49 UTC 2005
On Fri, 11 Mar 2005 10:48:29 +0000, Paul Howarth <paul at city-fan.org> wrote:
> Bob Brennan wrote:
> > Sorry for the brevity here but I woke this morning to find my
> > mailserver sending 1000+ rejected email notices to postmaster@, and it
> > was increasing by the minute. I have shut down Sendmail and am
> > removing all relay permissions (I hope) but have a few issues that
> > need to be resolved quickly before going back online - knowing the
> > spammer will be retrying and my legitimate users are losing services.
>
> What relaying permissions did you have?
FEATURE('relay_entire_domain')
HACK('popauth')
...none of which worked for *me* in my continuing struggle to find a
secure way to let my users use a remote MUA
...both commented out for now, as well as removed all domains in the
"Relay Domains" (Webmin again) file
>
> > 1. There are 700+ emails sitting in the outgoing queue, I am using
> > WebMin to delete them but at 20 at-a-time it is useless. I need a
> > command line that will do it without causing more damage.
>
> # cd /var/spool
> # mv mqueue mqueue.spam
> # mkdir mqueue
> # restorecon mqueue
done it - 1 problem sorted!
> That should leave you with an empty queue, plus the spam messages saved
> in /var/spool/mqueue.spam. You might want to look in there and see if
> there are any non-spam messages before you go deleting them all. It
> would also be useful to see an example of one of the "qf" files in
> /var/spool/mqueue.spam to see how the message reached your outgoing mail
> queue. That may indicate the vulnerability being exploited by the spammer.
>
> > 2. MySql is shut down for some reason, I don't know if it's related to
> > the attack. "service msqld status" returns "msqld dead but subsys
> > locked"
>
> Perhaps it collapsed under the load? Will "service msqld restart"
> restart it?
"Timeout error occured trying to start MySQL Deamon"
"Starting MySQL [FAILED]
... having to do with the "subsys locked" problem above I believe -
but how to fix that?
bob
> Paul.
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>
More information about the fedora-list
mailing list