Hello again,
This time the question is simple: my server is being maliciously
used to send spam, and this has to stop. Here are the log entries in
question (latest ones):
Dec 22 19:03:17 raptor postfix/smtpd[25021]: lost connection after RCPT
from dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164]
Dec 22 19:03:17 raptor postfix/smtpd[25021]: disconnect from
dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164]
Dec 22 19:03:17 raptor postfix/smtpd[25077]: lost connection after RCPT
from dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164]
Dec 22 19:03:17 raptor postfix/smtpd[25077]: disconnect from
dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164]
Dec 22 19:03:17 raptor postfix/smtpd[25076]: lost connection after RCPT
from dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164]
Dec 22 19:03:17 raptor postfix/smtpd[25076]: disconnect from
dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164]
Dec 22 19:03:17 raptor postfix/smtpd[25075]: lost connection after RCPT
from dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164]
Dec 22 19:03:17 raptor postfix/smtpd[25075]: disconnect from
dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164]
Dec 22 19:03:17 raptor postfix/smtpd[25072]: lost connection after RCPT
from dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164]
Dec 22 19:03:17 raptor postfix/smtpd[25072]: disconnect from
dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164]
*Dec 22 19:03:17 raptor postfix/smtpd[25021]: connect from
ccibc.eu[89.121.199.170]
Dec 22 19:03:17 raptor postfix/smtpd[25021]: 99EB51BC37B:
client=ccibc.eu[89.121.199.170]
Dec 22 19:03:17 raptor postfix/cleanup[25040]: 99EB51BC37B:
message-id=<[email protected]>
Dec 22 19:03:18 raptor postfix/qmgr[23830]: 99EB51BC37B:
from=<[email protected]>, size=1307600, nrcpt=1 (queue active)
Dec 22 19:03:18 raptor postfix/smtpd[25021]: disconnect from
ccibc.eu[89.121.199.170]*
*Dec 22 19:03:18 raptor postfix/smtp[25079]: 99EB51BC37B:
to=<[email protected]>, relay=none, delay=0.62, delays=0.61/0/0/0,
dsn=5.4.6, status=bounced (m
ail for djx.topedge.com loops back to myself)
Dec 22 19:03:18 raptor postfix/cleanup[25040]: 42B741BC5C9:
message-id=<[email protected]>
Dec 22 19:03:18 raptor postfix/qmgr[23830]: 42B741BC5C9: from=<>,
size=3425, nrcpt=1 (queue active)
Dec 22 19:03:18 raptor postfix/bounce[25080]: 99EB51BC37B: sender
non-delivery notification: 42B741BC5C9
Dec 22 19:03:18 raptor postfix/qmgr[23830]: 99EB51BC37B: removed*
Dec 22 19:03:18 raptor postfix/smtpd[25077]: connect from
dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164]
Dec 22 19:03:18 raptor postfix/smtpd[25076]: connect from
dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164]
Dec 22 19:03:18 raptor postfix/smtpd[25075]: connect from
dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164]
Dec 22 19:03:18 raptor postfix/smtpd[25072]: connect from
dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164]
Dec 22 19:03:18 raptor postfix/smtpd[25021]: connect from
dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164]
*Dec 22 19:03:18 raptor postfix/smtp[25081]: 42B741BC5C9:
to=<[email protected]>, relay=ccibc.eu[89.121.199.170]:25, delay=0.36,
delays=0.03/0.01/0.2/0.11, dsn=2
.0.0, status=sent (250 2.0.0 Ok: queued as A298FD61C24)
Dec 22 19:03:18 raptor postfix/qmgr[23830]: 42B741BC5C9: removed*
Also, I'm having a lot of these kind of entries lately (*Dec 22 19:03:18
raptor postfix/qmgr[23830]: 42B741BC5C9: from=<>, size=3425, nrcpt=1
(queue active)*) with unknown sender. Unfortunately these
bounces are what put my server on several backscatter lists. Is there
any way to reject these kind of senders "<>" from start
(reject_unknown_sender?). Is there any way to insert longer and
longer delays for unauthorized connections such as the ones from
88.166.185.164 with each connection attempt? Something like proftpd's
throttle module.
Thank you and be kind. Point me to the right manual :))
Kind regards,
--
Razvan Chitu
Network Engineer
