Qmail remote run by host not in rcpthosts

It appears my server is being used by spammers to send, but I can't figure
out how. Smtp-auth is enabled and functioning. I can not send without
authenticating, and I can not send from a domain not in rcpthosts. However I
am seeing a lot of qmail-remote processes with hosts not in rcpthosts. Eg:
qmailr   17425  0.0  0.0   4044   920 ?        S    18:04   0:00
qmail-remote omct.org  LynettebelgradeWaddell@...
qmailr   17432  0.0  0.0   4044   920 ?        S    18:04   0:00
qmail-remote yaztay.com  rimingw997@...
qmailr   17467  0.0  0.0   4040   920 ?        S    18:05   0:00
qmail-remote td.sponsor.freemail.selfip.org  web@...

I have 1500 messages in my queue all in remote, and all from domains not in
rcpthosts.

1. Is there a way of viewing the content of the messages in the queue (I am
looking at qmhandle as an option).
2. Any thoughts on how to determine how this is happening, and how to stop
it?

I have a very small user group so spam control as far as my server sending
shouldn't be an issue. I can easily just limited to a small set of users,
and no one else should be using my server to send.

Thanks in advance.

Roger Harrell
VP/CTO AudibleFaith.com
http://www.audiblefaith.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Thursday, September 10 at 09:04 PM, quoth Roger Harrell:
>It appears my server is being used by spammers to send, but I can't figure
>out how.

Have you looked in your logs?

My guess is that these are bounces.

>and I can not send from a domain not in rcpthosts.

rcpthosts restricts the ORIGINAL DESTINATION, not the source.

For example, if I send to doesnotexist@yourdomain from spam@spam,
vanilla qmail will accept the message, observe that doesnotexist
doesn't exist, and then bounce the message "back" to spam@spam.

>1. Is there a way of viewing the content of the messages in the queue
>(I am looking at qmhandle as an option).

Sure - it's all there in /var/qmail/queue/mess/*/*. I believe qmhandle
has a quick command for doing this, but... I don't know what it is
offhand.

>2. Any thoughts on how to determine how this is happening, and how to stop
>it?

Step 1 is to check your logs. Chances are that'll tell you how it's
happening. The next step is to use that information to stop it. For
example, you may need a recipient verification patch (e.g. realrcptto
or RCPTCHECK or one of the other ones, depending on what matches your
situation best).

~Kyle
- --
The means of defense against foreign danger historically have become
the instruments of tyranny at home.
                                                       -- James Madison
-----BEGIN PGP SIGNATURE-----
Comment: Thank you for using encryption!

iQIbBAEBCAAGBQJKqeXtAAoJECuveozR/AWe4dIP+JU0yPKVJzDaIAKgAR2xxANp
nQmiJpFh0TQ5gvf/T+OdSQbb2JOrDNKQYgM6vGSU64AkXoH4d3boKNP1C96bTIuN
Gifu+URFTU2xo1nabddPSRxIoVaex6Yp9+FQGhrtTT6S5bWS1PNSDtPlJpDSFTEz
3u/kuYbrT/Ynj41YonDOxhDTC4jcV/te8AMxyRbEeqLKE9ZD73Y6gwbwm8wl3Gsy
Xk3oWWrXNnN0yo26VmjenvGaW7Pl6j6d3chf8CC6UvH/WcFUDkhWlfP1xk5e3Qlc
D9pBw7+AuCzwYWxcAvHqonOcpbxfejYw5nhy+auM+nY45nV3MsMrNWCmWtWF2bVL
z1mv1Jr/9rKr7mnOMLYeXpO+7o7B4WQNUQZY8L4L055UJ/sTX8Th7jgrAtiOLD1i
4X5LWl60Kb/KxgHlq5yP6pE7vjdmD80RPEGb6OXWaY98P0KLWN21b25WUEo5gFGp
WknaOD+Z7EiDP7Ndm3crJxD9bFIKyhMia1+09IncDdxym6PEZtLLuV/OBHWisiKW
slOjxzIi54BbSpeXEC19HQuuTThN7NEmTLF5fT6xZKa7u6ea9E17te8KW2gUNmE9
YWbINQa7sP9DvlJpzUxLpM4yVcuPATJvQ7Ax4o4Jhm+MCVpGd6nm3O/SLlyDYET+
2vMy5wvbRHFOsiFkeVU=
=S5Fn
-----END PGP SIGNATURE-----

At 9:04 PM 9/10/09, Roger Harrell wrote:
>It appears my server is being used by spammers to send, but I can't figure
>out how. Smtp-auth is enabled and functioning. I can not send without
>authenticating, and I can not send from a domain not in rcpthosts. However I
>am seeing a lot of qmail-remote processes with hosts not in rcpthosts.


Technically, qmail-remote is not being "run by host not in rcpthosts"
as the subject line says.  Qmail-remote is being run to process
messages that have been placed in the queue by some other process.
But that's just a semantic nit.

>1. Is there a way of viewing the content of the messages in the queue (I am
>looking at qmhandle as an option).

I think there are some utilities to do that, but I'm not very
familiar with them.  Of course, there's always the brute force
technique of ls'ing the queue directories and cat'ing the message
files.

>2. Any thoughts on how to determine how this is happening, and how to stop
>it?
>

Messages are being placed in your queue somehow.  This could be by
qmail-smtpd accepting them from a remote machine, or by qmail-queue
and qmail-inject being invoked by some process running on your
server.  If you're running a webserver, it may have been compromised
somehow, particulary if it's running some of the popular and
frequently-hacked mail-generation scripts.

Start by taking a look at your qmail logs.  Whenever a message is
placed in your queue, there should be a couple of messages like this:

Sep 11 01:13:08 rootbsd1 qmail: 1252645988.205517 new msg 782943
Sep 11 01:13:08 rootbsd1 qmail: 1252645988.205579 info msg 782943:
bytes 2366 from <root@...> qp 22281 ui

If the message came in via qmail-smtpd, there should be messages from
tcpserver before and after those messages, indicating the start and
end of the qmail-smtpd session. (Depending on your logging setup,
these messages may be in a different log).  That will tell you the IP
address of the machine that fed the message to your qmail-smtpd.

If there are no tcpserver connection messages, either you're looking
at the wrong log, or your logs are broken, or the messages are being
generated locally instead of coming through an smtpd session.  In
that case, AUTH and rcpthosts and all your other smtpd precautions
don't matter.  You need to figure out what's running on your server.

Check the message-headers as well. Make sure it is not because of some spoofing happening from your own networks.

Kyle Wheeler wrote:
I find qmqtool to be excellent for viewing, expiring and deleting emails
from a qmail queue.

http://jeremy.kister.net/code/qmqtool/files/

Do you have a webmail program? That has been the most common source of
abuse I have seen on a qmail server. Users with silly passwords can get
their webmail accounts abused quickly and efficiently.

DAve

--
"Posterity, you will know how much it cost the present generation to
preserve your freedom.  I hope you will make good use of it.  If you
do not, I shall repent in heaven that ever I took half the pains to
preserve it." John Quincy Adams

http://appleseedinfo.org

At 12:53 AM 9/11/09, Kyle Wheeler wrote:
>My guess is that these are bounces.


Looking at this more careully than I originally did, I think Kyle is right.

Syntax of qmail-remote is

qmail-remote host sender recip [ recip ... ]

In the case of a bounce, the sender is null, and would not appear in
the ps output.  (I tested this on my server to see whether it would
show up as <>, and it doesn't appear that way).

So, from the example in the original post:

qmailr   17425  0.0  0.0   4044   920 ?        S    18:04   0:00
qmail-remote omct.org  LynettebelgradeWaddell@...


the message is being sent to host omct.org from a null sender to
recipient LynettebelgradeWaddell@....  Null sender most likely
indicates a bounce.

The alternative explanation would be that the sender is
LynettebelgradeWaddell@... and the recipient got truncated from
the display.  The first explanation seems more logical.

Considering that these are bounces,  a plausible explanation is that
a spammer hit your host with a boatload of messages addressed to one
or more noexistent addresses at some domain that does exist in your
rcpthosts.  Unless you have installed a recipient checking patch, the
normal action of an unpatched qmail would be to accept the messages,
and then generate bounces if the recipient does not exist.

Looking at your logs should verify this.  You should see the incoming
message, and then the outbound bounce.  The bounce is probably what's
driving the qmail-remote process you see.

And, as Kyle pointed out, the way to prevent bounces like this is to
patch qmail to verify recipients in the SMTP transaction and reject
invalid recipients at that point, instead of accepting the message
and bouncing it.  There are several good patches available to do this.

I think this is it. Viewing the queue looks like

7 Sep 2009 16:18:38 GMT  #330214  3113  <>
        remote  mutilatedta98@...
4 Sep 2009 14:16:30 GMT  #331902  80767  <>
        remote  JohnLt@...
7 Sep 2009 19:30:21 GMT  #332957  2977  <>
        remote  intelligentlyo5@...

I'm assuming the <> is the null sender?

Now, as far as the patches, I'm looking at the validrcptto.cdb.patch (for
netqmail-1.05, I have an older QMR install).
Recommendations?

Roger

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Friday, September 11 at 12:34 PM, quoth Roger Harrell:
Exactly.

>Now, as far as the patches, I'm looking at the validrcptto.cdb.patch (for
>netqmail-1.05, I have an older QMR install).
>Recommendations?

That's an excellent patch. IMHO, it's best suited for situations where
your list of acceptable recipients is relatively static, not
especially convoluted, and conforms to the standard qmail-style email
addresses (e.g. dynamic portions of the addresses are at the end of
the address, and are delineated with a hyphen). There's qmail-verify
if you would like to have multiple servers coordinate recipient
verification. There's realrcptto, for if your users are REALLY simple
(e.g. you don't use vpopmail). I personally use the RCPTCHECK patch
(as noted on my webpage, http://www.memoryhole.net/qmail/) because of
its flexibility---it allows me to have a fairly complicated perl-based
user-verification mechanism.

The bottom line, though, is that all of the recipient verification
patches on qmail.org are pretty good, and you should just pick
whichever one works in a way that makes the most sense to you and
works for your particular setup.

~Kyle
- --
Old boys have their playthings as well as young ones; the difference
is only in the price.
                                                   -- Benjamin Franklin
-----BEGIN PGP SIGNATURE-----
Comment: Thank you for using encryption!

iQIcBAEBCAAGBQJKqtKnAAoJECuveozR/AWeGxgP/3UfCOKntOMl/lDJX5vEDj+B
iRPARdUA2OOrj9xbUA+FwKOpRAfkfJMzV7wh0cGw1qCKRLbgpnetWWWILx1YH6SB
O+DfMYxTE4E8Ccht1PjKQEj6tQ1XOa1X7jugeVbMOQhS9HbGo40qBo6E2xMiBwED
wjpCzjj2/sl+iyMDv3FyYziaQChLOQIvuY46moWyzzGVI13KmnNYdBFu+1iiTkOV
qkk2SZaPM6Tgb7RamUSOB0Dfc4Q0xce46id3SJpoRAfHOtVaJlN0QI3y0WXtqLx0
pljdNEKmfxsPHp76pQ1s1htvSG025WKa3ZvM0cSMtH8l5TZfvRHE4YiJvfrnzRYc
fO/uiuQFb2tJqOaRsCtL0MX+2rC4Kw8HB4tfwO+T/nzfLkzbdeI/09tNEJrtNSpO
EVGy1QfNKFt3MbDATPRn74Zz8vujcUiHAT0HXYxwVlGsZI/FKddduzW2ONlYxZ42
Q/Iu+0bExtK09IyE7KEPjTvOua263GXj1qzTU7FkcAhi/MCiZoLx6raimP44cE7m
MBj7KjGlbzl/A7EuYCuB+Rgtgs/VCt5RaieI0+YV2OUR0AEqjVZKVirbYiFoiBvG
X1CxItMM0TTlgEWr1/+OTN++stO8BM0QSXIGhMqsa1etRAc8Owyc+vA6dsDIwvh2
ld3FJEkpXLKkrkisRfRX
=pjyv
-----END PGP SIGNATURE-----

>I personally use the RCPTCHECK patch
>(as noted on my webpage, http://www.memoryhole.net/qmail/) because of
>its flexibility---it allows me to have a fairly complicated perl-based
>user-verification mechanism.

I've reviewed validrcptto and the chkuser patches. I have a QMR install
which it appears means implementing the validrcptto patch will be a
significant pain. I can probably use chkuser, but haven't quite worked out
the install and can't find clear direction here that I can be confident will
work with my install. Can the RCPTCHECK patch be used with vpopmail (again
QMR install)? And if so, where will it get it's userlist from?

Thanks again,
Roger

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Wednesday, September 16 at 01:12 PM, quoth Roger Harrell:
> Can the RCPTCHECK patch be used with vpopmail (again QMR install)?

Of course; I use it with vpopmail.

> And if so, where will it get it's userlist from?

Wherever you like. RCPTCHECK is flexible precisely because it somewhat
punts on the question of how to figure out what users are valid.
Rather than implementing some technique directly in qmail-smtpd (like
validrcptto or chkuser or any other the others), it allows you to call
any script you like. So you could, for example, create a flat file of
users and use `grep` to validate users. Or you could use a cdb
database. Or you could use vuserinfo; whatever you like.

The script I use is rather complicated, because different domains use
different user management schemes (e.g. I have several lists.* domains
that use GNU Mailman to define their users). But, for example, if you
know that the recipient's domain us maintained by vpopmail, you can
use this:

    #!/bin/bash
    if vuserinfo $RECIPIENT >/dev/null 2>/dev/null ; then
        exit 0 # user exists
    else
        exit 111
    fi

~Kyle
- --
It's amazing how much "mature wisdom" resembles being too tired.
                                                 -- Robert A. Heinlein
-----BEGIN PGP SIGNATURE-----
Comment: Thank you for using encryption!

iQIVAwUBSrGfxyuveozR/AWeAQhugA//Zw4C8CzIPLsLgB3NbP82pP/NPg5dLXs7
WvmzBzdfv2UcHRFOZ0h3eJ0vKSTnfCZ2ilpUpeu7ifPXcMCcr4aZAEPTZwyofMAr
Pg5Offo0cOsIWB0C03rbKAQsiFRzY1VyaYYAOzx2yqas91KgQt7cvuEKNd9uLT6Z
0/W4Ycf7fIhLGWSsnHWDRG0FdwPif8Z+LtBef0Zs8yb0lLE2felT6llnq29yv/UD
GzyUP5Ox6lPYzokxSKyTfmw3CUejwLQfUnOzjiQjhTL2kdmQsX3EJld1Sg5KPYf0
1JQXiUoQ9cKuU/xMHR/wFSIXetaMC9KoNKDKmA5JfJtfX/bSp/dwnR3DuABQMWoM
l3YJsaXw22+M9vfkQh9WPclMTE39A2RukR2wmJW3mOUjToMAOhicTzV9Kn3SWFmU
ay/vLKgeYCu0LQrbAjhpC60J5WJlSb1pfr0yFwd/OYlebaDIuOZce0taQUA/Cgit
+WkD8kRhSUHwwXiwh5k9W3SZddTgGf3baULQgh+dmyFRYg3efWMqQq7/AoV4MAuh
hLXi6HVz7CEfMFGXpoD5lKhtOwNUzsCNSQ2Md6xljLc1Cn67x/g8FsXvQ+NT00n3
w26aBNHNGjcGGA0JUGtfPSwVnKkHdxaoQmLIDIA2UKudlaI6KutS2Y4E1KQn/6NY
0VyWe+NAYxI=
=z2GJ
-----END PGP SIGNATURE-----

Ok, so just to be sure. I now have a script
/var/qmail/libexec/checkrecipient which is:
    #!/bin/bash
    if vuserinfo $RECIPIENT >/dev/null 2>/dev/null ; then
        exit 0 # user exists
    else
        exit 111
    fi

And now after implementing the RCPTCHECK patch I can add:
:allow,RCPTCHECK="/var/qmail/libexec/checkrecipient"

To /etc/tcp.smtp

To implement this patch?

Thanks,
Roger

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

>And now after implementing the RCPTCHECK patch I can add:
>:allow,RCPTCHECK="/var/qmail/libexec/checkrecipient"
>
>To /etc/tcp.smtp
>
>To implement this patch?

And recompile the /etc/tcp.smtp.cdb, but yup, that all looks good.

~Kyle
- --
We act as though comfort and luxury were the chief requirements of
life, when all that we need to make us really happy is something to be
enthusiastic about.
                                                   -- Charles Kingsley
-----BEGIN PGP SIGNATURE-----
Comment: Thank you for using encryption!

iQIVAwUBSrLwnSuveozR/AWeAQg6Sg/7BqhR1wvUvhYlnEjtMXZI2oDQvITI70pO
mqDa2OQXLtL356IEN/8fydqDPkaajHKvuP2vlO2cOgsJd4Y1HvdwQLok62qVAenu
PYyOB6Vx2iw2th2QPHF/WyHoTqTYlYoH0yyYojYFUYOcqhqKqh15a25MzLTJUJwu
nVZIsbREhJsICvcOcej7EWVKWNy7yA8eZ5jFCpsBx1vTQWyFL8IpPZoRn1pNru63
rA7LIiPaEuUn6peepEY9GvnjnGeQvESIa3Zsmtzieal4vAw/Efl4pEhOu09aYYk/
xl+WwL4j/AiOyzndV+mtmSfZP2HEZou+4+CHSkCvVLD2GYbrbGSRZG7LW8OW1eG4
rHGjgt2XIM5CCsJpzxn8FpOjh3E26KRO0Ic6s3ZabvcB2m2ZBMTGf89fhxDxXph5
UAnBiy+pqTxekFjbqgU8Awd4aurlH6L13taTL75hRg+LAQhTa/OH/rkHFscVzj7I
o7U5bmWZvhnhzaLKuo/tfLg35LV7+i5JYISuuD0IiFCE9s0f/oRETyKRoE9xwRNw
eG96ySsKR9s9fDp116WaBR/cwdmLQ8frGZo6DyTwTLjiQlkUohp3xmvEsNaUohEl
+RqdLghplny4dt0urDMDg905q/eWbbfohWi+4rA1SdzUy7QbJqLcbxPV9T9vpS1J
bnctJ8Yv4bE=
=XAPp
-----END PGP SIGNATURE-----

Kyle Wheeler:
> RCPTCHECK is flexible precisely because it somewhat
> punts on the question of how to figure out what users are valid.
> Rather than implementing some technique directly in qmail-smtpd (like
> validrcptto or chkuser or any other the others), it allows you to call
> any script you like.

Here is the script I use.  I don't expect anyone will want to use it
precisely as it is, but it may be useful to someone as a starting
point to which they can apply additions and subtractions.

#!/usr/bin/perl

use Time::HiRes ();
my $ACCEPT_ALL = "/tmp/rcptcheck-ok";

$SIG{ALRM} = sub { exit 1; };

unless (-e "/tmp/RCPTCHECK.env") {
  open my($f), ">", "/tmp/RCPTCHECK.env";
  for my $k (sort keys %ENV) {
    print $f "$k $ENV{$k}\n";
  }
}


my ($d, $m, $y) = (localtime())[3,4,5];
$m += 1; $y += 1900;
unless (open F, ">>", sprintf("/tmp/RCPTCHECK.%04d%02d%02d.out", $y, $m, $d)) {
  warn "Couldn't open RCPTCHECK.out: $!; skipping\n";
  exit 0;
}
# use Fcntl ':flock';
my $start = Time::HiRes::time();
my $elapsed = Time::HiRes::time() - $start;
print F time(), " $$ elapsed-time $elapsed\n" if $elapsed > 3;

if (-e $ACCEPT_ALL) {
  Log("ok", "ACCEPT_ALL");
  exit 0;
}

my $sender = $ENV{SENDER};
my ($user, $host) = split /\@/, lc $ENV{RECIPIENT};
(my $ufile = $user) =~ tr/./:/;

if ($host !~ /\bplover.com$/) {
  Log("ok", "nonplover");
  exit 0;
}

if ($user =~ /-(get|thread)v\d+$/) {
  Log("bad", "getthread $user");
  exit 100;
}

my $file = "/var/qmail/alias/.qmail";
if (-e "$file-$ufile") {
  Log("ok", "alias");
  exit 0;
}

(my $base_user = $user) =~ s/-.*//;
if (getpwnam($base_user)) {
  Log("ok", "user");
  exit 0;
}

my $partial = "";
for my $component (split /-/, $ufile) {
  if (-e "$file$partial-default") {
    Log("ok", "alias qmail$partial-default");
    exit 0;
  }
  $partial .= "-$component";
}

Log("bad");
exit 100;

sub Log {
    my $recip = $ENV{RECIPIENT};
    $recip = "-" if $recip eq "";
    print F time, " $$ $recip @_\n";
}
 

>>And now after implementing the RCPTCHECK patch I can add:
>>:allow,RCPTCHECK="/var/qmail/libexec/checkrecipient"
>>
>>To /etc/tcp.smtp
>>
>>To implement this patch?
>
>And recompile the /etc/tcp.smtp.cdb, but yup, that all looks good.
>


Ugh, ok, so I tried to apply the batch and got failures. Walked through the
.rej file and tried to manually implement these changes. Here is my
qmail-smtpd.c and the rej file as well as the qmail-smtpd.cbk which is
pre-patche. Here's the compile errors. I'm not at all strong in C, and
besides I don't know at this point if the patch points that did work may
have applied incorrectly. The location at line 518 is not a point that I
modified.

make: Warning: File `qmail-smtpd.c' has modification time 1.5e+03 s in the
future
./compile qmail-smtpd.c
qmail-smtpd.c: In function âsmtp_rcptâ:
qmail-smtpd.c:755: error: invalid storage class for function âtmp_rsa_cbâ
qmail-smtpd.c: In function âmainâ:
qmail-smtpd.c:1042: warning: return type of âmainâ is not âintâ
qmail-smtpd.c: In function âsmtp_rcptâ:
qmail-smtpd.c:1069: error: static declaration of âcheckrcptcountâ follows
non-static declaration
qmail-smtpd.c:518: error: previous implicit declaration of âcheckrcptcountâ
was here
qmail-smtpd.c:1073: error: expected declaration or statement at end of input
make: *** [qmail-smtpd.o] Error 1

Is there something simple I messed up in the manual patching?

Thanks,
Roger

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Friday, September 18 at 01:17 PM, quoth Roger Harrell:
> Ugh, ok, so I tried to apply the batch and got failures. Walked
> through the .rej file and tried to manually implement these changes.
> Here is my qmail-smtpd.c and the rej file as well as the
> qmail-smtpd.cbk which is pre-patche. Here's the compile errors.

It's a bracket problem. In the file where you have this:

    else {
#ifndef TLS
      if (!addrallowed()) { err_nogateway(); return; }
      if (!addrvalid()) { err_badrcpt(); return; }
    } // <--- this bracket
#else
      if (!addrallowed())

The bracket right above the "#else" is misplaced. You should really
move that lower in the function, to the line just after #endif, so
that the end of the function looks like this:

        else { err_nogateway(); return; }
       }
#endif
  } // <-- moved bracket from above
  if (!stralloc_cats(&rcptto,"T")) die_nomem();
  if (!stralloc-cats(&rcptto,addr.s)) die_nomem();
  if (!stralloc_0(&rcptto)) die_nomem();
  out("250 ok\r\n");
}


~Kyle
- --
Two things fill the mind with ever new and increasing wonder and awe,
the more often and the more seriously reflection concentrates upon
them: the starry heaven above me and the moral law within me.
                                                      -- Immanuel Kant
-----BEGIN PGP SIGNATURE-----
Comment: Thank you for using encryption!

iQIVAwUBSrYj1iuveozR/AWeAQgLIA/5AU0BmfdG+tCbkWGf7vlIS6sIGHTL5egf
7ofh17pjr1/Aoz/mrlaQ84MfJjPsJMNkUGSTPUIHU6JpiSnR3puHF/fYEwDFvB7e
oWb/AmOJZkGTPv9ZHZ6hFtb+erowdkmIMouJYvTTtPuRqcqdZNTmEiUCwmn3dKCp
/y5uh/oCsB8a7LbhV3CCcirknNvwmTP2Zj5KLnPAQ2XCIVit6B8TnA+FJfQIWJ+E
OxMLoACaVF8GF90yzaeI+PC2dMY3xtnh5vRIjDDoxRpkSs+YVSF6I4j5OCGB5FHu
1NKHAy1q1xQsd1paKIj2JFD0AfRXR9T9iLJNJm+0RVQHiGzbS0Ll+GT0sfAsPmh4
bpbgqBk0U34+o8qnbG9F+vQ/bgcDEct3pU4tRb9qPc6dsvAa93Rb9lh88+MNYEHU
uIvfEkGcqK0d937cGdQvyD9oszLEkDe/Kk8scPurEPHeQDMlRAsO7PFEdLovESkK
e+D6r0759rOHV+cPSBzr7NlQWdU5PhvJOGTeVe4g7jE52L/uML1XBw0mD36a4TYv
iru2NXig8vWkk2KE/TCLWXt0/TkI4UUZMhQlE6sqvAmT+sRnwgpvM+WCjPBRGRH/
LFmba8UUx1nsUogptKqN3I3lSXTDRGF6PcjyQQ1yaWr33FM2QseWEEOWPFYRcAiA
qY2dZuB20Zw=
=KPX9
-----END PGP SIGNATURE-----