mail logs, constant connect/disconnect from one site
After disabling relays.osirusoft.com (DNSRBL), I was checking my mail logs and found hundreds of: wahoo postfix/smtpd[21655]: connect from unknown[61.248.137.183] wahoo postfix/smtpd[21655]: disconnect from unknown[61.248.137.183] Parsing input: 61.248.137.183 host 61.248.137.183 (getting name) no name Reporting addresses: spamrelay@certcc.or.kr postmaster@shinbiro.com abuse@shinbiro.com and [pls forgive long lines] wahoo postfix/smtpd[7629]: connect from CPE0050f2c347af-CM400026310183.cpe.net.cable.rogers.com[65.48.226.202] wahoo postfix/smtpd[7629]: disconnect from CPE0050f2c347af-CM400026310183.cpe.net.cable.rogers.com[65.48.226.202] and several others over the last 4/5 days. The first listed, 61.248.137.183, tried for 3 solid hours 3 and 4 times per second. Are they trying to relay mail thru me, or what ??? tks, -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org
On Fri, Aug 29, 2003 at 10:48:40PM -0500 or thereabouts, Patrick Shanahan wrote:
After disabling relays.osirusoft.com (DNSRBL), I was checking my mail logs and found hundreds of:
wahoo postfix/smtpd[21655]: connect from unknown[61.248.137.183] wahoo postfix/smtpd[21655]: disconnect from unknown[61.248.137.183]
and [pls forgive long lines]
wahoo postfix/smtpd[7629]: connect from CPE0050f2c347af-CM400026310183.cpe.net.cable.rogers.com[65.48.226.202] wahoo postfix/smtpd[7629]: disconnect from CPE0050f2c347af-CM400026310183.cpe.net.cable.rogers.com[65.48.226.202]
and several others over the last 4/5 days.
The first listed, 61.248.137.183, tried for 3 solid hours 3 and 4 times per second.
Are they trying to relay mail thru me, or what ???
Yes, probably.. spamcop shows on one of the above. http://www.spamcop.net/w3m?action=checkblock&ip=61.248.137.183 This could also be the latest worm going around, but I have had several attempts over the last 36 hours, of spammers, maybe 400 in all, from all over the world. Many of them use software that will keep trying over and over again if given a 4.4.1 reject by your mail server, which tells them to try again later. I always use the 5.5.3 which is a permanent reject. This helps somewhat. If it really bothers you, you can quickly add a drop of the IP address or block in iptables, on the fly. If you are running your own mail server, this is pretty much normal, but obviously be sure you are set up not to relay... Your logs will tell you, learn to trust them.. I don't use postfix, but rather qmail, and utilize a few RBLs, but more importantly use my own RBL, which I have developed over time, and add to daily... works well. I even block entire countries, and always block IP addresses with no reverse address.. this really helps... -- Gary Doing a job RIGHT the first time gets the job done. Doing the job WRONG fourteen times gives you job security.
participants (2)
-
gary
-
Patrick Shanahan