Professional Web Applications Themes

run away poppers - SCO

Starting last Wednesday the mail popper in SCO version 5.0.4, 5.0.5, 5.0.6 with the security fix from 2002 applied have been getting looped. It looks like a new attack. Has anyone else been having this problem? Any work around? -- Gary Hart Worldlink...

  1. #1

    Default run away poppers

    Starting last Wednesday the mail popper in SCO version 5.0.4, 5.0.5, 5.0.6
    with the security fix from 2002 applied have been getting looped. It looks
    like a new attack. Has anyone else been having this problem? Any work
    around?

    --
    Gary Hart
    Worldlink


    gary Guest

  2. #2

    Default Re: run away poppers

    In article <boom7d$754$cetlink.net>, gary
    <com> wrote:
     

    Would you explain what you mean exactly by 'getting looped'.
    Do you mean the same IP is requesting access over and over and
    over? Have you elminated the possiblity that this is really
    coming from the outside and not a problem with the popper?


    --
    Bill Vermillion - bv wjv . com
    Bill Guest

  3. #3

    Default Re: run away poppers

    "gary" <com> wrote in message news:<boom7d$754$cetlink.net>... 

    Check ownership and permissions of the mailboxes.

    Andrey Bondar, SysAdmin,
    T.I.P.A.S. Ltd., Lithuania
    Andrey Guest

  4. #4

    Default Re: run away poppers

    The ownership and perms are right. It Happens on a meesage fragment that
    but a EOF in the middle that causes the popper to start looping if the mail
    is checked with a microsoft product ( ie outlook express or outlook ). Web
    mail like mail2web.com will not trigger this action. It either is a new DOS
    or bulk mailer causing this. This is happening on 3 different machines in 2
    different locations. These are high production machines.

    --
    Gary Hart
    Worldlink
    "Andrey Bondar" <lt> wrote in message
    news:google.com... 
    news:<boom7d$754$cetlink.net>... [/ref]
    5.0.6 [/ref]
    looks 
    >
    > Check ownership and permissions of the mailboxes.
    >
    > Andrey Bondar, SysAdmin,
    > T.I.P.A.S. Ltd., Lithuania[/ref]


    gary Guest

  5. #5

    Default Re: run away poppers

    Here is a example after it starts this can go on for 2GB. This has happened
    from 100 differenet sites in 5 days. This Mail server handles over a million
    pieces a day.

    this is the type of error in the syslog
    Nov 11 14:15:10 bones popper[2826]: EOF from at 65.217.41.205
    (wnc21741205.wncl
    ink.com): [0] 25 (Inappropriate I/O control operation); 0 (Unknown error)

    This is a sample of the mail box:

    ^A^A^A^A
    X-UIDL:
    ^A^A^A^A
    From com Mon Nov 10 21:54:37
    2003
    Return-Path: <com>
    Received: from mailpb-ne3.pandabearperks.com (mailpb-ne3.pandabearperks.com
    [64.
    191.10.122])
    by bones.wnclink.com (8.11.0/SCO5) with ESMTP id hAALsRU01508
    for <com>; Mon, 10 Nov 2003 21:54:27 GMT
    Received: by mailpb-ne3.pandabearperks.com (PowerMTA(TM) v1.5); Mon, 10 Nov
    2003
    16:50:09 -0500 (envelope-from
    <c
    om>)
    Errors-To: com
    Message-ID: <pandabearperks.com>
    From: Panda Bear Perks <com>
    Subject: ''Get a free digital camera with ink purchase''
    ^A^A^A^A
    ^A^A^A^A
    ^A^A^A^A
    ^A^A^A^A
    From com Mon Nov 10 21:54:37
    2003
    Return-Path: <com>
    Received: from mailpb-ne3.pandabearperks.com (mailpb-ne3.pandabearperks.com
    [64.
    191.10.122])
    :
    ==================
    Errors-To: com
    Message-ID: <pandabearperks.com>
    From: Panda Bear Perks <com>
    Subject: ''Get a free digital camera with ink purchase''
    ^A^A^A^A
    ^A^A^A^A
    ^A^A^A^A
    From com Mon Nov 10 21:54:37
    2003
    Return-Path: <com>
    Received: from mailpb-ne3.pandabearperks.com (mailpb-ne3.pandabearperks.com
    [64.
    191.10.122])
    by bones.wnclink.com (8.11.0/SCO5) with ESMTP id hAALsRU01508
    for <com>; Mon, 10 Nov 2003 21:54:27 GMT
    Received: by mailpb-ne3.pandabearperks.com (Pow


    ECT -
    notice the multiable EOF's

    --
    Gary Hart
    Worldlink
    "Andrey Bondar" <lt> wrote in message
    news:google.com... 
    news:<boom7d$754$cetlink.net>... [/ref]
    5.0.6 [/ref]
    looks 
    >
    > Check ownership and permissions of the mailboxes.
    >
    > Andrey Bondar, SysAdmin,
    > T.I.P.A.S. Ltd., Lithuania[/ref]


    gary Guest

  6. #6

    Default Re: run away poppers

    gary wrote (on Mon, Nov 10, 2003 at 01:47:06PM -0500): 

    We used to have this problem quite often (popper running out of control and
    creating a 2GB file). We solved it by using this version:

    -rwxrwxr-x 1 awacs egg 230812 Jul 16 1997 /etc/popper

    $ /etc/popper -v
    +OK egps.egps.com POP3 3.3(34) w/IMAP client at Tue, 11 Nov 2003 14:36:49 -0500
    (EST)


    --
    _________________________________________
    Nachman Yaakov Ziskind, EA, LLM com
    Attorney and Counselor-at-Law http://ziskind.us
    Economic Group Pension Services http://egps.com
    Actuaries and Employee Benefit Consultants
    Nachman Guest

  7. #7

    Default Re: run away poppers

    "gary" <com> wrote in message
    news:borct5$7u6$cetlink.net... 
    happened 
    million 
    21:54:37 
    (mailpb-ne3.pandabearperks.com 
    Nov 
    21:54:37 
    (mailpb-ne3.pandabearperks.com 
    21:54:37 
    (mailpb-ne3.pandabearperks.com 
    > news:<boom7d$754$cetlink.net>... [/ref]
    > 5.0.6 [/ref]
    > looks [/ref][/ref]
    work 
    > >
    > > Check ownership and permissions of the mailboxes.[/ref][/ref]

    ahh.. the old more-than-two ^A^A^A^A trick.

    I wasn't aware that it was Popper causing this issue, but it most certainly
    is Popper having the issue deciphering it.

    Move the mailbox out of the way, strip the excess ^A^A^A^A's (one at the
    start of the message, one at the end, so never mroe than two ^A^A^A^A lines
    after each other), and move it back.

    I've had ths on 505 and 506 boxes as well. Never really found the
    solution, other than don't strain the box too much.

    I think it's more of a bug in the local delivery agent (lmail).

    bkx


    Stuart Guest

  8. #8

    Default Re: run away poppers

    In article <3fb15a2c$tpgi.com.au>,
    Stuart J. Browne <com.au> wrote: 

    mutt also chokes on mailboxes that don't have exactly the right set of
    delimiters, so I wrote a tool to check/fix such mailboxes:

    ftp://ftp.armory.com/pub/scripts/mail/fix_mailx


    John
    --
    John DuBois com KC6QKZ/AE http://www.armory.com/~spcecdt/
    John Guest

  9. #9

    Default Re: run away poppers

    "gary" <com> wrote in message news:borct5$7u6$cetlink.net... 
    <snip>

    This is most definitely a problem with the version of SCO's popper you are using.
    I had the EXACT same symptoms but was not clever enough to have partitioned
    the /usr/spool/mail directory separately so my root file system would fill to 100%
    and cause the system to basically stop. It never happened until we began using
    the Microsoft e-mail products but alas, I can't blame them in this instance.

    You should upgrade your version of popper. Check the SCO web site.
    I'm sorry I don't know the exact version of my updated popper (or what SLS
    it came from). There is no -v option and searching through the file does not
    reveal a version number either. The directory listing of the binary is:

    -rwxr-xr-x 1 bin bin 171648 May 26 19:31 popper

    It does have the annoying effect of leaving "lock" files in the /tmp directory.
    Evidently, these files are used to hold the PID of the popper reading the
    mailbox and if this PID is already in use (because they wrap around at 32767),
    popper will log an error in /usr/adm/syslog:

    -ERR /usr/spool/mail/x is being read by another session.

    Until you remove the "lock" file in the /tmp directory, the user will not be
    able to retrieve their e-mail while there is a process running with the same PID
    as stored in the leftover lock file. I haven't seen an update addressing this
    problem yet. Everyone else says to install qpopper.

    Dave Hopkins


    D. Guest

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139