I saw the same thing for a while last year.. I just blocked most of the IP address range for Asia. All of a sudden I didn't see it any more.. On Thu, 27 Feb 2003, Christopher Wagner wrote: > Good day all.. > > I'm encountering some rather annoying problems with my mail server. > > It appears as though someone is trying rather desperately to relay through > my mail server, and using multiple boxes from all over the place to do it. > They are all directed at pacbell.net and they're all from the commonly faked > mail from:'s (ie: hotmail, mindspring, earthlink) > > Logs: > > Feb 25 07:12:02 goober postfix/smtpd[31398]: reject: RCPT from > unknown[62.117.66.182]: 554 <idapaulat_private>: Recipient address > rejected: Relay access denied; from=<t1p2dj10xat_private> > to=<idapaulat_private> > Feb 25 07:12:08 goober postfix/smtpd[31398]: reject: RCPT from > unknown[62.117.66.182]: 554 <idarat_private>: Recipient address rejected: > Relay access denied; from=<t1p2dj10xat_private> to=<idarat_private> > Feb 25 07:12:13 goober postfix/smtpd[31398]: reject: RCPT from > unknown[62.117.66.182]: 554 <idbyebyeat_private>: Recipient address > rejected: Relay access denied; from=<t1p2dj10xat_private> > to=<idbyebyeat_private> > Feb 25 07:12:19 goober postfix/smtpd[31398]: reject: RCPT from > unknown[62.117.66.182]: 554 <idcat_private>: Recipient address rejected: > Relay access denied; from=<t1p2dj10xat_private> to=<idcat_private> > -- > Feb 25 07:10:37 goober postfix/smtpd[31398]: reject: RCPT from > kamosbs.kamocci.or.jp[157.120.128.130]: 554 <gortonsat_private>: Recipient > address rejected: Relay access denied; from=<r275rmd0bat_private> > to=<gortonsat_private> > Feb 25 07:10:43 goober postfix/smtpd[31398]: reject: RCPT from > kamosbs.kamocci.or.jp[157.120.128.130]: 554 <gos2at_private>: Recipient > address rejected: Relay access denied; from=<r275rmd0bat_private> > to=<gos2at_private> > Feb 25 07:10:48 goober postfix/smtpd[31398]: reject: RCPT from > kamosbs.kamocci.or.jp[157.120.128.130]: 554 <gosaintsat_private>: > Recipient address rejected: Relay access denied; > from=<r275rmd0bat_private> to=<gosaintsat_private> > Feb 25 07:10:54 goober postfix/smtpd[31398]: reject: RCPT from > kamosbs.kamocci.or.jp[157.120.128.130]: 554 <goseniorat_private>: > Recipient address rejected: Relay access denied; > from=<r275rmd0bat_private> to=<goseniorat_private> > -- > Feb 25 07:12:25 goober postfix/smtpd[31398]: reject: RCPT from > ppp-63-205-146-45.calvarycc.org[63.205.146.45]: 554 <jgerardiat_private>: > Recipient address rejected: Relay access denied; > from=<wf97vp1tl4at_private> to=<jgerardiat_private> > Feb 25 07:12:30 goober postfix/smtpd[31398]: reject: RCPT from > ppp-63-205-146-45.calvarycc.org[63.205.146.45]: 554 <jgerfenat_private>: > Recipient address rejected: Relay access denied; > from=<wf97vp1tl4at_private> to=<jgerfenat_private> > Feb 25 07:12:35 goober postfix/smtpd[31398]: reject: RCPT from > ppp-63-205-146-45.calvarycc.org[63.205.146.45]: 554 <jgerkeat_private>: > Recipient address rejected: Relay access denied; > from=<wf97vp1tl4at_private> to=<jgerkeat_private> > -- > And so on.. They seem pretty determined to relay, I dunno why, it ain't > gonna happen. This seems to happen once a month or so, obviously from a > variety of addresses. It almost looks suspiciously like these various > machines have either been hacked or they're hiring out their bandwidth to a > spammer. > > Any suggestions for tracking this down or should I just ignore it? It's not > a real drain on my bandwidth or server capacity, the frequency isn't > bothersome, just the log entries get annoying after awhile. It doesn't help > matters by having all the sources be out of the US, it makes it more > difficult to track down. > > Thanks folks.. > > - Christopher Wagner > chriswat_private > > Packaging Aids Corporation - Information Systems > P.O. Box 9144 > San Rafael, CA 94912-9144 > http://www.pacaids.com/ > (415) 454-4868 x116 > > > ---------------------------------------------------------------------------- > > <Pre>Lose another weekend managing your IDS? > Take back your personal time. > 15-day free trial of StillSecure Border Guard.</Pre> > <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A> > > ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Tue Mar 04 2003 - 11:19:16 PST