Here is what I'd do.
Only allow 44 net to talk to the mail host directly:
iptables -A INPUT -s ! 44.0.0.0/8 -p tcp --dport 25 -j DROP
Set a MX record and set up an exchanger for any external mail you need
to deal with.
What we do is run all inbound and outbound email to/from the Internet through a mail gateway. Then the gateway can implement all of the modern spam avoidance functions, including even which specific user addresses will be relayed.
Michael
N6MEF
Sent from my Verizon Wireless 4G LTE smartphone
-------- Original message --------
From: William Lewis <kg6baj(a)n1oes.org>
Date:02/09/2014 11:54 AM (GMT-08:00)
To: AMPRNet working group <44net(a)hamradio.ucsd.edu>
Subject: [44net] Mail Hacker
(Please trim inclusions from previous messages)
_______________________________________________
Hello group:
Need some collective help here on a mail system hacker issue I've been having.
First, the IP address on my system he's coming in on is 44.2.14.1
This person is dumping thousands of random emails into my system and some
of them will match BBS AREA patterns and get forwarded out to my forward
partners.
At first, I set up a log book scan script to look for bad logins, and then
ban the IP address, but then I found out that since my 44.2.14.1 ip address
goes "around" my firewall via UCSD, the block rules literally have zero effect.
I found a common "from" (online...@....) line in his emails, so in my
"rewrite" file I used this command "onl*@* | *@* refuse" but that also had
zero effect.
Then I tried telling JNOS "stop smtp" and "stop pop3" and that had zero effect.
JNOS's email system uses very old RFC rules, and none of the modern RFC
rules, so it's easy for this hacker to login to my JNOS mail server and
dump this junk. Luckily most get held, but as stated, a few match forward
patterns, so they slip through.
Right now I've completely taken my JNOS off-line until a fix can be found.
Anyone have some suggestions on blocking smtp and pop3 when my 44.2.14.1
address is live to global net ?
Any advise is appreciated in advance.
Thanks
Bill
KG6BAJ
Chris:
I'm wondering if the index page issue only effects "Coordinators" ??
I've seen some postings here that some are logging in and all is ok.
But the index page is suppose to show the extra "coordinator" link that
non-coordinators don't see when they login.
Here is the total source code my browsers get "after" logging in.
=========================================================================
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=utf-8" http-equiv=Content-Type></HEAD>
<BODY></BODY></HTML>
=========================================================================
That's it. That's all that comes through.
Hope that helps.
Bill
At 02:56 AM 2/8/2014, you wrote:
>(Please trim inclusions from previous messages)
>_______________________________________________
>Hit your refresh button, probably cached from a previous visit ;-)
The first batch of annual portal email reminders just went out; there
were 60 folks who haven't logged in to the portal in over a year.
These reminders are currently scheduled to go out monthly. Starting this
July, I think we'll consider someone inactive after 18 months of no login.
(That's six reminders, so they can't say they weren't warned.)
Be sure to keep the portal up to date if you change your email or other
contact data to avoid having problems.
Please remember that current registration with the portal is necessary
to maintain allocations, gateway registration in the encap database,
and other functions of the portal. It's especially important for
coordinators to keep it up to date.
Thanks!
- Brian
It looks like the INDEX template has an error.
If you login, go ahead and get the blank screen, and then manually type in
the url: https://portal.ampr.org/gateways_index.php
you will see what you're suppose to.
So.... Looks like a hiccup in the index file.
(but just my $0.02 worth)
Bill
KG6BAJ
Could someone provide the existing schema for the portal back end
database. I'm taking a database class as well as a web programming
class and would like to study it as it presently exists.
Eric
AF6EP
Same here..
Bill
KG6BAJ
At 07:45 PM 2/7/2014, you wrote:
>(Please trim inclusions from previous messages)
>_______________________________________________
>After I login I just get a blank screen.
>
>-Neil
>
>--
>Neil Johnson
>http://erudicon.com
>_________________________________________
>44Net mailing list
>44Net(a)hamradio.ucsd.edu
>http://hamradio.ucsd.edu/mailman/listinfo/44net
Hey Guys
Apologies for my abscence and if there has been any reqests for space in 44.136.0.0/16. We moved and waiting for someone to leave or be disconnected so we can geta DSL port. We are living in the world of 3g/4g and it is not really that crash hot for a perm connection.
We have been advised that they are about to do an upgrade to be told oh we did that last december.
Anyway hope to be back online soon
Samantha
vk4aa|vk4ttt
Just a heads up to the 44 Group who run 44 addressed mail servers.
Over the last few days I've had someone trying to break into my mail server.
After installing more detection software, I came up with IP Address
178.33.151.117.
Just a heads up he's probably scanning the network looking for others, so
heads up everyone.
Bill / KG6BAJ
==========================================
AUTOMATED NOTIFICATION !
The IP 178.33.151.117 has just been banned after several attempts against
dovecot.
Here are more information about 178.33.151.117:
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '178.33.151.112 - 178.33.151.127'
% Abuse contact for '178.33.151.112 - 178.33.151.127' is 'abuse(a)ovh.net'
inetnum: 178.33.151.112 - 178.33.151.127
netname: DVC-ITA
descr: DoveConviene.it Italian Network
country: IT
org: ORG-OS43-RIPE
admin-c: OTC5-RIPE
tech-c: OTC5-RIPE
status: ASSIGNED PA
mnt-by: OVH-MNT
source: RIPE # Filtered
organisation: ORG-OS43-RIPE
org-name: OVH Srl
org-type: OTHER
address: Via trieste 25
address: 20097 San Donato Milanese
address: Italia
abuse-mailbox: abuse(a)ovh.net
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
source: RIPE # Filtered
role: OVH IT Technical Contact
address: OVH Srl
address: Via trieste 25
address: 20097 San Donato Milanese
address: Italia
admin-c: OK217-RIPE
tech-c: GM84-RIPE
nic-hdl: OTC5-RIPE
abuse-mailbox: abuse(a)ovh.net
mnt-by: OVH-MNT
source: RIPE # Filtered
% Information related to '178.32.0.0/15AS16276'
route: 178.32.0.0/15
descr: OVH ISP
descr: Paris, France
origin: AS16276
mnt-by: OVH-MNT
source: RIPE # Filtered
% This query was served by the RIPE Database Query Service version 1.71
(WHOIS1)
Lines containing IP:178.33.151.117 in /var/log/mail.log
Feb 5 04:15:37 linux1 dovecot: pop3-login: Disconnected (auth failed, 1
attempts): user=<test(a)ampr.org>, method=PLAIN, rip=178.33.151.117,
lip=44.2.14.2
Feb 5 04:17:23 linux1 dovecot: pop3-login: Disconnected (auth failed, 1
attempts): user=<test(a)ampr.org>, method=PLAIN, rip=178.33.151.117,
lip=44.2.14.2
Feb 5 04:17:41 linux1 dovecot: pop3-login: Disconnected (auth failed, 1
attempts): user=<test(a)ampr.org>, method=PLAIN, rip=178.33.151.117,
lip=44.2.14.2
...... <snip>
