From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1N1pdR-0005RB-Ro for garchives@archives.gentoo.org; Sat, 24 Oct 2009 23:02:58 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id AFF72E06D0; Sat, 24 Oct 2009 23:02:56 +0000 (UTC) Received: from www01.badapple.net (www01.badapple.net [64.79.219.163]) by pigeon.gentoo.org (Postfix) with ESMTP id 8E5BBE06D0 for ; Sat, 24 Oct 2009 23:02:56 +0000 (UTC) Received: from [10.13.213.100] (unknown [76.14.71.183]) (Authenticated sender: ramin@badapple.net) by www01.badapple.net (Postfix) with ESMTPSA id AE4035A5A74E for ; Sat, 24 Oct 2009 16:02:55 -0700 (PDT) Message-ID: <4AE3879E.5020409@badapple.net> Date: Sat, 24 Oct 2009 16:02:54 -0700 From: kashani User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Can't block pop3 attack References: <200910240249.42991.robin.atwood@attglobal.net> <200910232257.09736.alan.mckinnon@gmail.com> <200910241639.18730.robin.atwood@attglobal.net> In-Reply-To: <200910241639.18730.robin.atwood@attglobal.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 05579ec4-627a-4e2a-96a0-c619d4186b6d X-Archives-Hash: 6d12557026aaaa95bf746bba500b1767 Robin Atwood wrote: > On Saturday 24 October 2009, Alan McKinnon wrote: >> On Friday 23 October 2009 21:49:42 Robin Atwood wrote: >>> My syslog is showing zillions of messages: >>> >>> Oct 24 02:25:58 opal xinetd[8054]: START: pop-3 pid=16534 >>> from=61.134.64.199 Oct 24 02:25:59 opal xinetd[16534]: warning: >>> /etc/hosts.allow, line 7: can't verify hostname: >>> gethostbyname(199.64.134.61.broad.gs.dynamic.163data.com.cn) failed >>> Oct 24 02:26:09 opal xinetd[8054]: EXIT: pop-3 status=0 pid=16534 >>> duration=11(sec) >>> >>> I run denyhosts but don't trap pop3 messages so I manually added the IP >>> address to /etc/hosts.deny and..., it made absolutely no difference. I >>> run qpopper which is compiled with xinetd support and xinetd uses tcpd, >>> so I assumed the address would be blocked. Apparently not so. Any ideas? >> You have allow ALL ALL early in hosts.allow, or >> you have allow pop3 all earlier in hosts.allow > > The second! I had forgotten about that. The trouble I set it up that way so I > could pick up email from arbitrary locations while travelling. It seems the > price of that is allowing idiots to spam your logs. > > Thanks for the pointer. > -Robin You might think about moving to pop3-ssl or imap-ssl and dropping the unencrypted protocols. Usually keeps people from banging on the servers and much safer if you use the occasional unsecured wireless network. kashani