Hi,
Starting a few days ago, I have been getting severely hit by spamming software of some sort, which tries connecting to my mail servers (primary and secondary) and sending mail to <Random Text>@mydomain.com It is always the same domain (mydomain.com), and always a bogus random username. It has really gotten on my nerves as I have no idea how to stop this since all the incoming connections originate from distinct relays. Here is a small excerpt from my maillog:

Apr 12 00:25:55 srv01 sendmail[4352]: j3C4Psh1004352: from=<>, size=15943, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=mx2.ouvaton.net [84.207.3.37]

Apr 12 00:25:55 srv01 sendmail[4350]: j3C4PtID004350: <jumddulw@mydomain.com>... User unknown

Apr 12 00:25:55 srv01 sendmail[4350]: j3C4PtID004350: from=<>, size=10425, class=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=powerbox.prohost.de [216.71.84.99]

Apr 12 00:25:58 srv01 sendmail[4351]: j3C4PwVc004351: <drfpdkt@mydomain.com>... User unknown

Apr 12 00:25:58 srv01 sendmail[4351]: j3C4PwVc004351: from=<>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=mail.petro-chemusa.com [216.132.160.226] (may be forged)

Apr 12 00:25:59 srv01 sendmail[4353]: j3C4Pv8g004353: <qyslsyuhrjb@mydomain.com>... User unknown

Apr 12 00:25:59 srv01 sendmail[4353]: j3C4Pv8g004353: from=<>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=ktk3-094.ktknet.net [210.89.3.94]

Apr 12 00:26:04 srv01 sendmail[4354]: j3C4Q4Ft004354: <kltloecuzdpgdr@mydomain.com>... User unknown

Apr 12 00:26:05 srv01 sendmail[4354]: j3C4Q4Ft004354: from=<>, size=17734, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=mx11.bezeqint.net [192.115.106.18]

Apr 12 00:26:08 srv01 sendmail[4355]: j3C4Q8Ce004355: <ddxxyylbf@mydomain.com>... User unknown

Apr 12 00:26:09 srv01 sendmail[4355]: j3C4Q8Ce004355: from=<>, size=16152, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=anchor-post-36.mail.demon.net [194.217.242.86]



I am running the latest (8.13.4) version of sendmail and am not set up to relay for any domains on the primary mail server (which is getting hit the worst).

This has been going for some time and the number of attempts is upwards of 6,000 now. If anybody has any ideas/insight/experience with this, I would greatly appreciate hearing from you. Thanks

If you have not allowed any "relaying" then it should say in the logs that "relaying denied" which does not seem to be the case here. You might want to double check who is and who is not allowed to relay.

If you are really getting hammered then use iptables to drop packets from that IP.

The only relaying that is allowed on that server is after sasl authentication.
I have double checked on dnsreport.com and everything is perfect, either way the mail is directed towards my domain, not an external one.

I would love to block them, but like I said, they are all coming in from unique mail servers:

tcp 0 0 mydomain.com:smtp 5-banet.com:4479 TIME_WAIT
tcp 0 0 mydomain.com:smtp 66-173-234-8.seria:1377 TIME_WAIT
tcp 0 0 mydomain.com:smtp mx3.noc.eunet-ag.:48435 TIME_WAIT
tcp 0 0 mydomain.com:smtp mail.aca.fr:3159 TIME_WAIT
tcp 0 0 mydomain.com:smtp acmrpp04.progressi:1069 TIME_WAIT
tcp 0 0 mydomain.com:smtp 66-173-234-8.seria:1377 TIME_WAIT
tcp 0 0 mydomain.com:smtp mx3.noc.eunet-ag.:48435 TIME_WAIT


I can't figure what exactly this person(s) is trying to do, I was thinking maybe they were just trying to have my bounce messages act as spam, but there is never a From address given so that can't be it.

It may be that those mail servers are blacklisted ones. Try using dnsbl feature of sendmail.

I've been using the rbl at Spamhaus.org, and some of the mailservers do get rejected, but most of them just reply with user unknown...any other ideas?