Are all of the username portions of the e-mail addresses legitimate e-mails? IE, it looks like you cleansed the domain portion, but, in the log, are the all, or most, of the e-mails legitimate?
I've seen this with random attempts at guessing e-mails and passwords, but not with all legit e-mails. If they are all legit, is the domain yours? Or is it theirs? (IE do you host it as an ISP, or is this the only domain and you control it?) Michael J. Colvin NorCal Internet Services www.norcalisp.com > -----Original Message----- > From: Sergio M [mailto:sergio...@gmail.com] > Sent: Tuesday, March 01, 2011 4:25 PM > To: QmailToaster List > Subject: [qmailtoaster] SMTP attack > > Hi there list, > i have been under heavy traffic since sunday, and its been using all my > inbound connections. > I have a QMT updated box, running the latest spamdyke: > # qtp-whatami > /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 > DISTRO=CentOS > OSVER=5.5 > QTARCH=x86_64 > QTKERN=2.6.18-194.32.1.el5 > BUILD_DIST=cnt5064 > BUILD_DIR=/usr/src/redhat > This machine's OS is supported and has been tested/ > > > Even though spamdyke does not let the spammers relay the mail, i still > get all the connections used, making it very hard for authenticated > users to send mail. > For now I stopped smtpd, but i wanna see if you guys have some other > thoughts to solve this. > > If I see the maillog, i see LOTS of entries like these: > /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: > 201.0.152.106 rbl: > zen.spamhaus.org > Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail (pass: > 'luckymi') lucianos...@domain.com:190.158.93.231 > Feb 27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 > rbl: > zen.spamhaus.org > Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip: > 187.106.1.158 file: > /var/qmail/control/ip-blacklist(75) > Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass: > 'jdorm253') jorgerodrig...@domain.com:201.250.40.202 > Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 > rbl: > zen.spamhaus.org > Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail (pass: > 'edos1kd9') eduardos...@domain.com:201.82.74.70 > Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: > 189.106.88.244 rdns: > 189106088244.user.veloxzone.com.br > Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail (pass: > 'luckymi') lucianos...@domain.com:201.43.79.201 > Feb 27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass: > 'luckymi') lucianos...@domain.com:189.106.88.244 > Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: > 200.105.97.83 rdns: > rev.97.83-telecablecr.com > Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass: > 'jdorm253') jorgerodrig...@domain.com:187.106.1.158 > Feb 27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass: > 'luckymi') lucianos...@domain.com:201.0.152.106 > Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 > rbl: > zen.spamhaus.org > > Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass: > 'luckymi') lucianos...@domain.com:200.45.73.226 > Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: > 189.54.236.113 rbl: zen.spamhaus.org > Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: > 187.119.172.80 file: /var/qmail/control/ip-blacklist(75) > Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass: > 'luckymi') lucianos...@domain.com:189.114.176.151 > Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass: > 'luckymi') lucianos...@domain.com:190.158.93.231 > Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass: > 'edos1kd9') eduardos...@domain.com:93.39.224.8/ > > So i guess some botnet is trying to relay mail guessing a specific > domain user's passwords. Most of the attempts are blocked by RBL > checking, but that still create a connection. > > Looking at # cat /var/log/qmail/smtp/current | tai64nlocal > /2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from > 189.6.164.77 > > 2011-03-01 20:54:01.906030500 tcpserver: ok 4879 > mail.myhost.com.ar:11.22.33.44:25 > :189.6.164.77::37629 > 2011-03-01 20:54:02.157286500 tcpserver: end 4797 status > 0 > > 2011-03-01 20:54:02.157289500 tcpserver: status: > 24/25 > > 2011-03-01 20:54:02.157290500 tcpserver: status: > 25/25 > > 2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from > 190.172.129.24 > > 2011-03-01 20:54:02.157530500 tcpserver: ok 4881 > mail.myhost.com.ar:11.22.33.44:25 > :190.172.129.24::14782 > 2011-03-01 20:54:05.433208500 tcpserver: end 4857 status > 0 > > 2011-03-01 20:54:05.433211500 tcpserver: status: > 24/25 > > 2011-03-01 20:54:05.433212500 tcpserver: status: > 25/25 > > 2011-03-01 20:54:05.433213500 tcpserver: pid 4903 from > 189.78.49.139 > > 2011-03-01 20:54:05.433215500 tcpserver: ok 4903 > mail.myhost.com.ar:11.22.33.44:25 > :189.78.49.139::36877 > 2011-03-01 20:54:06.075161500 tcpserver: end 4800 status > 0 > > 2011-03-01 20:54:06.075164500 tcpserver: status: > 24/25 > > 2011-03-01 20:54:06.075165500 tcpserver: status: > 25/25 > > 2011-03-01 20:54:06.075166500 tcpserver: pid 4908 from > 186.114.65.254 > > 2011-03-01 20:54:06.075168500 tcpserver: ok 4908 > mail.myhost.com.ar:11.22.33.44:25 > :186.114.65.254::13026 > 2011-03-01 20:54:06.441699500 tcpserver: end 4821 status > 0 > > 2011-03-01 20:54:06.441702500 tcpserver: status: > 24/25 > > 2011-03-01 20:54:06.441735500 tcpserver: status: > 25/25 / > > You see how it got clogged with incoming connections. > > so, any ideas or tips to help me solve this? > As for now smtpd is stopped. > > thanks a lot! > -Sergio > > -------------------------------------------------------------------------- > ------- > Qmailtoaster is sponsored by Vickers Consulting Group > (www.vickersconsulting.com) > Vickers Consulting Group offers Qmailtoaster support and > installations. > If you need professional help with your setup, contact them today! > -------------------------------------------------------------------------- > ------- > Please visit qmailtoaster.com for the latest news, updates, and > packages. > > To unsubscribe, e-mail: qmailtoaster-list- > unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list- > h...@qmailtoaster.com > --------------------------------------------------------------------------------- Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! --------------------------------------------------------------------------------- Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
