On 12/22/2010 12:52 PM, Razvan Chitu wrote: > Hello again, > This time the question is simple: my server is being maliciously > used to send spam, and this has to stop. Here are the log entries in > question (latest ones): > > Dec 22 19:03:17 raptor postfix/smtpd[25021]: lost connection after RCPT > from dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164] > Dec 22 19:03:17 raptor postfix/smtpd[25021]: disconnect from > dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164] > Dec 22 19:03:17 raptor postfix/smtpd[25077]: lost connection after RCPT > from dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164] > Dec 22 19:03:17 raptor postfix/smtpd[25077]: disconnect from > dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164] > Dec 22 19:03:17 raptor postfix/smtpd[25076]: lost connection after RCPT > from dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164] > Dec 22 19:03:17 raptor postfix/smtpd[25076]: disconnect from > dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164] > Dec 22 19:03:17 raptor postfix/smtpd[25075]: lost connection after RCPT > from dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164] > Dec 22 19:03:17 raptor postfix/smtpd[25075]: disconnect from > dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164] > Dec 22 19:03:17 raptor postfix/smtpd[25072]: lost connection after RCPT > from dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164] > Dec 22 19:03:17 raptor postfix/smtpd[25072]: disconnect from > dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164] > *Dec 22 19:03:17 raptor postfix/smtpd[25021]: connect from > ccibc.eu[89.121.199.170] > Dec 22 19:03:17 raptor postfix/smtpd[25021]: 99EB51BC37B: > client=ccibc.eu[89.121.199.170] > Dec 22 19:03:17 raptor postfix/cleanup[25040]: 99EB51BC37B: > message-id=<[email protected]> > Dec 22 19:03:18 raptor postfix/qmgr[23830]: 99EB51BC37B: > from=<[email protected]>, size=1307600, nrcpt=1 (queue active) > Dec 22 19:03:18 raptor postfix/smtpd[25021]: disconnect from > ccibc.eu[89.121.199.170]* > *Dec 22 19:03:18 raptor postfix/smtp[25079]: 99EB51BC37B: > to=<[email protected]>, relay=none, delay=0.62, delays=0.61/0/0/0, > dsn=5.4.6, status=bounced (m > ail for djx.topedge.com loops back to myself) > Dec 22 19:03:18 raptor postfix/cleanup[25040]: 42B741BC5C9: > message-id=<[email protected]> > Dec 22 19:03:18 raptor postfix/qmgr[23830]: 42B741BC5C9: from=<>, > size=3425, nrcpt=1 (queue active) > Dec 22 19:03:18 raptor postfix/bounce[25080]: 99EB51BC37B: sender > non-delivery notification: 42B741BC5C9 > Dec 22 19:03:18 raptor postfix/qmgr[23830]: 99EB51BC37B: removed* > Dec 22 19:03:18 raptor postfix/smtpd[25077]: connect from > dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164] > Dec 22 19:03:18 raptor postfix/smtpd[25076]: connect from > dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164] > Dec 22 19:03:18 raptor postfix/smtpd[25075]: connect from > dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164] > Dec 22 19:03:18 raptor postfix/smtpd[25072]: connect from > dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164] > Dec 22 19:03:18 raptor postfix/smtpd[25021]: connect from > dan75-7-88-166-185-164.fbx.proxad.net[88.166.185.164] > *Dec 22 19:03:18 raptor postfix/smtp[25081]: 42B741BC5C9: > to=<[email protected]>, relay=ccibc.eu[89.121.199.170]:25, delay=0.36, > delays=0.03/0.01/0.2/0.11, dsn=2 > .0.0, status=sent (250 2.0.0 Ok: queued as A298FD61C24) > Dec 22 19:03:18 raptor postfix/qmgr[23830]: 42B741BC5C9: removed* > > Also, I'm having a lot of these kind of entries lately (*Dec 22 19:03:18 > raptor postfix/qmgr[23830]: 42B741BC5C9: from=<>, size=3425, nrcpt=1 > (queue active)*) with unknown sender. Unfortunately these > bounces are what put my server on several backscatter lists. Is there > any way to reject these kind of senders "<>" from start > (reject_unknown_sender?). Is there any way to insert longer and > longer delays for unauthorized connections such as the ones from > 88.166.185.164 with each connection attempt? Something like proftpd's > throttle module. > > Thank you and be kind. Point me to the right manual :)) > > Kind regards, > > -- > Razvan Chitu > Network Engineer >
Is your server configured as an open relay? Show postconf -n output please. -Matt
