From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1N1d5p-0002Pp-UN for garchives@archives.gentoo.org; Sat, 24 Oct 2009 09:39:26 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B6D9EE0852; Sat, 24 Oct 2009 09:39:24 +0000 (UTC) Received: from kcout01.prserv.net (kcout01.prserv.net [12.154.55.31]) by pigeon.gentoo.org (Postfix) with ESMTP id A0C98E0852 for ; Sat, 24 Oct 2009 09:39:24 +0000 (UTC) Received: from opal.binro.org (adsl-dynamic-58-136-70-224.csloxinfo.net[58.136.70.224]) by prserv.net (kcout01) with ESMTP id <20091024093923201000omuve> (Authid: gbinet.atwoodr); Sat, 24 Oct 2009 09:39:23 +0000 X-Originating-IP: [58.136.70.224] Received: from opal.binro.org (localhost.localdomain [127.0.0.1]) by opal.binro.org (8.14.3/8.14.2) with ESMTP id n9O9dJtS029618 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 24 Oct 2009 16:39:19 +0700 Received: (from robin@localhost) by opal.binro.org (8.14.3/8.14.2/Submit) id n9O9dIdW029617 for gentoo-user@lists.gentoo.org; Sat, 24 Oct 2009 16:39:18 +0700 From: Robin Atwood To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Can't block pop3 attack Date: Sat, 24 Oct 2009 16:39:18 +0700 User-Agent: KMail/1.12.2 (Linux/2.6.30-gentoo-r6; KDE/4.3.2; x86_64; ; ) References: <200910240249.42991.robin.atwood@attglobal.net> <200910232257.09736.alan.mckinnon@gmail.com> In-Reply-To: <200910232257.09736.alan.mckinnon@gmail.com> X-Face: .c^^1Tm5bSr;@/t2T;-0HM`{~wj)F]2C]Zr#!Ig5fi&$LV1E^;5jL{]08F@tj{f3,U(I[9 ;7R4jB8A7|mw7{K\OYFzCL_e/tAb)0_@07[e.}H`OE*na@7m=Op1.s0v3_3*|?#l|XD}n* ARBV@IdaVd!V&bo;Z/TEb}oJi_(}3VOa^tj;$zlk96>K*hb>PYbe6J`'7qh`?m!!/k]ezl _VIifMR#4kg*"'n/S&^4@4: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200910241639.18730.robin.atwood@attglobal.net> X-Archives-Salt: d9d2e342-1e89-40b7-aa7f-42e268c4897f X-Archives-Hash: 3b694a85e969f843c8ed3cc45ca04ffb On Saturday 24 October 2009, Alan McKinnon wrote: > On Friday 23 October 2009 21:49:42 Robin Atwood wrote: > > My syslog is showing zillions of messages: > > > > Oct 24 02:25:58 opal xinetd[8054]: START: pop-3 pid=16534 > > from=61.134.64.199 Oct 24 02:25:59 opal xinetd[16534]: warning: > > /etc/hosts.allow, line 7: can't verify hostname: > > gethostbyname(199.64.134.61.broad.gs.dynamic.163data.com.cn) failed > > Oct 24 02:26:09 opal xinetd[8054]: EXIT: pop-3 status=0 pid=16534 > > duration=11(sec) > > > > I run denyhosts but don't trap pop3 messages so I manually added the IP > > address to /etc/hosts.deny and..., it made absolutely no difference. I > > run qpopper which is compiled with xinetd support and xinetd uses tcpd, > > so I assumed the address would be blocked. Apparently not so. Any ideas? > > You have allow ALL ALL early in hosts.allow, or > you have allow pop3 all earlier in hosts.allow The second! I had forgotten about that. The trouble I set it up that way so I could pick up email from arbitrary locations while travelling. It seems the price of that is allowing idiots to spam your logs. Thanks for the pointer. -Robin -- ---------------------------------------------------------------------- Robin Atwood. "Ship me somewheres east of Suez, where the best is like the worst, Where there ain't no Ten Commandments an' a man can raise a thirst" from "Mandalay" by Rudyard Kipling ----------------------------------------------------------------------