Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello, I view my /var/log/maillog and see tons of lines like this:
Apr 14 01:35:16 ns1 postfix/qmgr[13307]: AB33922B89D8: to=<buttonsing@yahoo.com.tw>, relay=none, delay=147008, delays=146024/984/0/0, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mx1.mail.tw.yahoo.com[203.188.197.9] refused to talk to me: 421 4.7.0 [TS01] Messages from 212.152.155.32 temporarily deferred - 4.16.55.1; see http://postmaster.yahoo.com/errors/421-ts01.html)
I think those are some kind of SMTP attacks from this host by I tried to block hit with Iptables but it seemes to peace them off and they keep coming...!
please some kind of postfix-configuration solution?
this too tons of those ms31 - ms100~ just keep flooding
actually this is a new ded server and I have installed the mail server today but the domain name i'm using for my host is old...but wtf? yahoo floods people? why would they. how to block it man? it stuck my mail server...
attacks from yahoo.com.tw or hinet.com or million other IPs
Anyway I have tried to ban them all by extracting the IPs from the maillog and ban them but it's seem to be useless it doesn't do anything, except maybe that some of them says connection timed out...
This attacks occur only when Postfix is active, and the attacks are reflected in 20%wa taken by the server and all the queue slots are taken by the attackers emails (postfix (qmgr) is overflowed, not giving authentic emails to be received) so I tried to block smtp port:
Code:
iptables -A INPUT -p tcp --dport 25 -j DROP
iptables -A INPUT -p udp --dport 25 -j DROP
iptables -A OUTPUT -p tcp --dport 25 -j DROP
iptables -A OUTPUT -p udp --dport 25 -j DROP (:D I got mad so I started to invent some commands)
Farther more, when looking in netstat after blocking smtp not smtp record found at all! yet the attacks keep coming!
And it's makes some changes, now the attacks seem to come from the inside (lol?) but the same side effects remains:
Code:
Apr 18 13:21:31 game postfix/smtp[4061]: BA8912100199: to=<lfzdkjnucjdl@ms28.hinet.net>, relay=none, delay=219, delays=142/47/30/0, dsn=4.4.1, status=deferr$
Apr 18 13:21:31 game postfix/smtp[4034]: connect to ms34a.hinet.net[168.95.5.34]: Connection timed out (port 25)
Notice after I blocked smtp it's like the smtp trying to connect to somthing ! and I cannot find in the whole log any connect from.
So is it somthing with the postfix? virus? ddos? how to block it? I'm working on this a week now and no one has solution nor find in the internet.
This looks like a spam. Is that really active? How many requests per second do you get?
Blocking all input/output to port 25 will not help at all, if you're using your own server, you'll be unable to use it further. And you don't need to block UDP port 25, it has nothing to do with your issue.
This usually is made by windows computers, infected with spam-viruses. What you need to do is to install spamfilters. These IPs you are being connected from are usually listed in spam blacklists so spamfilters will stop that data from reaching mail server.
Using exim instead of postfix is like trying to use one sword instead of another when fighting against firearms It won't have any effect at all, you will still have those connections. You need a spamfilter.
Hey , I have installed SpamAssassin and it doesn't seem to help (: I don't think that this is spam im getting about 50messages per second it somthing crazy anyway maybe you meant somthing else? other spam filter?
Are you sure the traffic is actually going thrugh Spam Assassin? And not just running on the side?
EDIT: Try to open your master.cf config file for Postfix and search for a line starting with "smtp inet ....." and verify it ends with "... -o content_filter=spamd".
spamd is just a defined entry and might be something else in your setup.
The spamd should then be defined somewhere else in the config file: "spamd unix - n ...."
It looks like an outgoing message. Is the the same message or several? Maybe it is just a small amount that is being redelivered because of the connection timeout.
You might have been blocked at ms34a.hinet.net[168.95.5.34] because of the spam. Hope you dont end up on a blacklist because they should be pretty hard to get back off.
Try the "mailq" and "postcat" to see you mailqueue. You should be able to delete it with "postsuper".
hey man thank for the help just want to understand somthing,
why when I'm banning them all and even closing smtp port (25) they still coming? how is it possible? from where they coming in?
I installed the SpamA but I don't know how to check if it's working correctly, it is active and updated and master.cf is ok...maybe I should write rules or somthing? because it doesn't seem to effect the logs or the load of ther server.
Edit:
Code:
Apr 18 20:48:58 game3 spamd[6160]: spamd: identified spam (10.5/5.0) for spamfilter:598 in 7.0 seconds, 1057 bytes.
Apr 18 20:48:58 game3 spamd[6160]: spamd: result: Y 10 - FSL_HELO_NON_FQDN_1,HELO_NO_DOMAIN,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL,RCVD_IN_PSBL,RCVD_IN_SORBS_WEB,$
Apr 18 20:48:58 game3 postfix/smtpd[6335]: disconnect from unknown[121.35.166.220]
Apr 18 20:48:58 game3 spamd[6406]: spamd: identified spam (7.5/5.0) for spamfilter:598 in 2.0 seconds, 1057 bytes.
Apr 18 20:48:58 game3 spamd[6406]: spamd: result: Y 7 - DKIM_ADSP_NXDOMAIN,FSL_HELO_NON_FQDN_1,HELO_NO_DOMAIN,NO_DNS_FOR_FROM,RCVD_IN_BRBL_LASTEXT,RCVD_IN_P$
Apr 18 20:48:58 game3 spamd[6154]: prefork: child states: BIBBI
Apr 18 20:48:58 game3 spamd[6154]: prefork: child states: BIBII
Apr 18 20:48:58 game3 spamd[6154]: prefork: adjust: 3 idle children more than 2 maximum idle children. Decreasing spamd children: 6407 killed.
Apr 18 20:48:58 game3 sendmail[6292]: o3IHmwsY006292: Authentication-Warning: : spamfilter set sender to fylefrbt@rnjti.com using -f
Apr 18 20:48:58 game3 spamd[6154]: spamd: handled cleanup of child pid [6407] due to SIGCHLD: interrupted, signal 2 (0002)
Apr 18 20:48:58 game3 spamd[6154]: prefork: child states: BIBI
surely SpamAssassin is working but it seems like he has been assassined by the spam lol.
I don't see any immediate improvement...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
It won't have any effect at all, you will still have those connections. You need a spamfilter.
