November 24th, 2003, 12:35 AM
Anyone using QMP or know of any possible exploits in the wild?
I have a client using it and it is locking up on a daily basis - we
have done all of the maintenance suggested by CESoft, installed
new OS (9.2.2), re-installed QM software - I am suspecting
something malicious??? The firewall in use has SNORT integrated
but SNORT logs and FW logs show nothing interesting.
November 24th, 2003, 12:40 AM
Check for any back-ground processes that are running. Duplicate processes can easily cause the problem, or something that is conflicting with it.
Other than that, I don't know.
November 24th, 2003, 12:46 AM
I wouldn't necessarily associate that with something malacious. Do what SonofGalen said and check for wierd processes. I would lean more towards a conflict with another piece of software that you are running on the machine. You could try exiting all programs but the QMP client and see if you don't lockup anymore. Is this person running many programs when they are using the client?
November 24th, 2003, 12:49 AM
If none of this pans out, I would suggest switching the software that you are using. If the problem persists after that--let us know. That would probably be a sign of something malicious going on.
November 24th, 2003, 02:34 PM
Thanks for the replies, to clarify, this is QM Server not client
and running on OS9 - not X so as far as duplicate processes
goes - QM is the only App running - on a clean machine.
What makes me think malicious activity is that even though
SMTP relaying is turned off in the configuration and I have
verified that I don't seem to be able to relay but tons of stuff
that appears to be relay attempts still shows up in the queues.
Can someone direct me to a good resource for reading about
how spammers use relaying?
November 24th, 2003, 02:53 PM
That makes things a lot more clear. It sounds to me like you've either got spammers, a specific kind of DOS attack (see the link below), or a fuzzy router somewhere.
In all likely-hood, it is just spammers trying to use your mail server. If you can figure out that its all coming from the same place, you could configure the router to just block that IP Address/Range.
Addresses about spam/relays:
It could also be a relay authorization attack, a weird version of DOS:
If you have anymore questions, don't hesitate to ask.