Hi, On Wed, 27 Aug 2003, Louis LeBlanc wrote:
> On 08/27/03 05:52 PM, David sat at the `puter and typed: > > The setup is pretty secure (I think) and and don't find any evidence > > in my logs that I have an open relay. The problem is that I got a > > LOT of connections from someone that tries to send e-mail to fake > > users at my domain. The logfile grows at rapid speed and I got 180 > > MB log just for the last 12 hours. > > > > The connections are from random IP-addresses. It's different > > addresses and domains each time, but the pattern is the same. > > > > Example 1: > > > > Aug 27 17:54:44 www postfix/smtpd[10056]: 73D9110F26: reject: RCPT > > from smtp.terra.es[213.4.129.129]: 550 <[EMAIL PROTECTED]>: User > > unknown in virtual alias table; from=<> proto=ESMTP > > helo=<tsmtp8.mail.isp> > > > > Example 2: > > > > Aug 27 17:54:42 www postfix/smtpd[10069]: E2D9910F2E: reject: RCPT > > from host048021.arnet.net.ar[200.45.48.21]: 550 > > <[EMAIL PROTECTED]>: User unknown in virtual alias table; > > from=<> proto=ESMTP helo=<smtp-mx-02.ti.local> My guess is that if you check your logs, all the entries contain "from=<>". If that's the case, you're probably seeing tons of bounce messages from other (badly-configured) mail systems as a result of a spammer forging <[EMAIL PROTECTED]> into the From: header of their spam run. N.B.: This is precisely why you always want to reject mail during the SMTP phase rather than accepting it, determining it's spam, and sending a bounce message about it later after the SMTP transaction is over. *Never* bounce spam unless you want to be responsible for DOS'ing innocent parties. Reject = good, bounce = bad. > > Any idea how to stop this. The server is behind a firewall, so I > > guess itīs possible to block this bastard, but I don't know how to > > nail him. Briefly accept all mail to nonexistent users (say for 5-10 minutes) to capture a sample of the bounce traffic. Some of those should have the full spam attached, complete with headers. Analyze those to find the origin of the spam (probably an open proxy on a cable modem somewhere) and contact the abuse and security people at the relevant ISP. Then pray the ISP's staff is run by someone smarter than a loaf of bread and willing and capable of fixing the problem. Don't hold your breath... :/ > Ok, I know you have directed this query to gurus, but I'm gonna > present a suggestion anyway. > > I'm not familiar with postfix - I run Sendmail myself and I'm hardly a > guru there either - but can't you require validation to connect to the > server? All users on my system have to validate before being allowed > to send mail. Unless I'm mistaken, that prevents outside spammers > from connecting like that and sending mail anywhere, inside or out. Not if you want to accept mail traffic from the rest of the internet. These are probably bounce messages (DSNs) from legit servers being victimized by a spam run. Spammers aren't touching his machine directly. hth, -- Bob ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
