Good day all.. I'm encountering some rather annoying problems with my mail server. It appears as though someone is trying rather desperately to relay through my mail server, and using multiple boxes from all over the place to do it. They are all directed at pacbell.net and they're all from the commonly faked mail from:'s (ie: hotmail, mindspring, earthlink) Logs: Feb 25 07:12:02 goober postfix/smtpd[31398]: reject: RCPT from unknown[62.117.66.182]: 554 <idapaulat_private>: Recipient address rejected: Relay access denied; from=<t1p2dj10xat_private> to=<idapaulat_private> Feb 25 07:12:08 goober postfix/smtpd[31398]: reject: RCPT from unknown[62.117.66.182]: 554 <idarat_private>: Recipient address rejected: Relay access denied; from=<t1p2dj10xat_private> to=<idarat_private> Feb 25 07:12:13 goober postfix/smtpd[31398]: reject: RCPT from unknown[62.117.66.182]: 554 <idbyebyeat_private>: Recipient address rejected: Relay access denied; from=<t1p2dj10xat_private> to=<idbyebyeat_private> Feb 25 07:12:19 goober postfix/smtpd[31398]: reject: RCPT from unknown[62.117.66.182]: 554 <idcat_private>: Recipient address rejected: Relay access denied; from=<t1p2dj10xat_private> to=<idcat_private> -- Feb 25 07:10:37 goober postfix/smtpd[31398]: reject: RCPT from kamosbs.kamocci.or.jp[157.120.128.130]: 554 <gortonsat_private>: Recipient address rejected: Relay access denied; from=<r275rmd0bat_private> to=<gortonsat_private> Feb 25 07:10:43 goober postfix/smtpd[31398]: reject: RCPT from kamosbs.kamocci.or.jp[157.120.128.130]: 554 <gos2at_private>: Recipient address rejected: Relay access denied; from=<r275rmd0bat_private> to=<gos2at_private> Feb 25 07:10:48 goober postfix/smtpd[31398]: reject: RCPT from kamosbs.kamocci.or.jp[157.120.128.130]: 554 <gosaintsat_private>: Recipient address rejected: Relay access denied; from=<r275rmd0bat_private> to=<gosaintsat_private> Feb 25 07:10:54 goober postfix/smtpd[31398]: reject: RCPT from kamosbs.kamocci.or.jp[157.120.128.130]: 554 <goseniorat_private>: Recipient address rejected: Relay access denied; from=<r275rmd0bat_private> to=<goseniorat_private> -- Feb 25 07:12:25 goober postfix/smtpd[31398]: reject: RCPT from ppp-63-205-146-45.calvarycc.org[63.205.146.45]: 554 <jgerardiat_private>: Recipient address rejected: Relay access denied; from=<wf97vp1tl4at_private> to=<jgerardiat_private> Feb 25 07:12:30 goober postfix/smtpd[31398]: reject: RCPT from ppp-63-205-146-45.calvarycc.org[63.205.146.45]: 554 <jgerfenat_private>: Recipient address rejected: Relay access denied; from=<wf97vp1tl4at_private> to=<jgerfenat_private> Feb 25 07:12:35 goober postfix/smtpd[31398]: reject: RCPT from ppp-63-205-146-45.calvarycc.org[63.205.146.45]: 554 <jgerkeat_private>: Recipient address rejected: Relay access denied; from=<wf97vp1tl4at_private> to=<jgerkeat_private> -- And so on.. They seem pretty determined to relay, I dunno why, it ain't gonna happen. This seems to happen once a month or so, obviously from a variety of addresses. It almost looks suspiciously like these various machines have either been hacked or they're hiring out their bandwidth to a spammer. Any suggestions for tracking this down or should I just ignore it? It's not a real drain on my bandwidth or server capacity, the frequency isn't bothersome, just the log entries get annoying after awhile. It doesn't help matters by having all the sources be out of the US, it makes it more difficult to track down. Thanks folks.. - Christopher Wagner chriswat_private Packaging Aids Corporation - Information Systems P.O. Box 9144 San Rafael, CA 94912-9144 http://www.pacaids.com/ (415) 454-4868 x116 ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Tue Mar 04 2003 - 07:44:10 PST