Help! Taiwan is Raping My Postfix Mail Server

jhwilliams · 09-05-2009, 07:35 PM

Yesterday I setup a Postfix mail server on Debian Lenny, with TLS and basic (non-SASL) authentication. I was gone for a bit, and when I looked this evening, all hell had broken lose. mail.info, mail.err, syslog are all 15M in size with lines like the below:

Code:

Sep  5 17:31:49 sage postfix/smtp[28166]: connect to spam.hcct.gov.tw[163.29.139.25]:25: Connection timed out
Sep  5 17:31:51 sage postfix/smtpd[28544]: disconnect from 124-11-193-129.dynamic.tfn.net.tw[124.11.193.129]
Sep  5 17:31:58 sage postfix/smtpd[28425]: connect from 124-11-193-131.dynamic.tfn.net.tw[124.11.193.131]
Sep  5 17:31:58 sage postfix/smtp[28179]: connect to d.mx.mail.yahoo.com[68.142.202.247]:25: Connection timed out
Sep  5 17:31:58 sage postfix/smtp[28192]: connect to mail.thps.tp.edu.tw[74.125.53.121]:25: Connection timed out
Sep  5 17:31:58 sage postfix/smtpd[28425]: NOQUEUE: reject: RCPT from 124-11-193-131.dynamic.tfn.net.tw[124.11.193.131]: 554 5.7.1 <tac2@mail.oop.gov.tw>: Relay access denied; from=<ayqjphahmcfkdtooi@wretch.twbbs.org> to=<tac2@mail.oop.gov.tw> proto=SMTP helo=<myip>
Sep  5 17:31:58 sage postfix/smtp[28192]: E8E0C46712: to=<cnini@mail.thps.tp.edu.tw>, relay=none, delay=1233, delays=978/225/30/0, dsn=4.4.1, status=deferred (connect to mail.thps.tp.edu.tw[74.125.53.121]:25: Connection timed out)
Sep  5 17:31:59 sage postfix/smtpd[28425]: NOQUEUE: reject: RCPT from 124-11-193-131.dynamic.tfn.net.tw[124.11.193.131]: 554 5.7.1 <senglee@tcpa.edu.tw>: Relay access denied; from=<ayqjphahmcfkdtooi@wretch.twbbs.org> to=<senglee@tcpa.edu.tw> proto=SMTP helo=<myip>
Sep  5 17:31:59 sage postfix/smtpd[28425]: NOQUEUE: reject: RCPT from 124-11-193-131.dynamic.tfn.net.tw[124.11.193.131]: 554 5.7.1 <kingter@sirweb.shps.kh.edu.tw>: Relay access denied; from=<ayqjphahmcfkdtooi@wretch.twbbs.org> to=<kingter@sirweb.shps.kh.edu.tw> proto=SMTP helo=<myip>
Sep  5 17:31:59 sage postfix/smtp[28173]: connect to mx2.url.com.tw[210.59.228.65]:25: Connection timed out
Sep  5 17:31:59 sage postfix/smtpd[28425]: NOQUEUE: reject: RCPT from 124-11-193-131.dynamic.tfn.net.tw[124.11.193.131]: 554 5.7.1 <s50305@linux.yhes.tpc.edu.tw>: Relay access denied; from=<ayqjphahmcfkdtooi@wretch.twbbs.org> to=<s50305@linux.yhes.tpc.edu.tw> proto=SMTP helo=<myip>
Sep  5 17:31:59 sage postfix/smtp[28215]: connect to mail.tyai.tyc.edu.tw[60.250.229.252]:25: Connection timed out
Sep  5 17:31:59 sage postfix/smtp[28215]: E8E0C46712: to=<hweng@mail.tyai.tyc.edu.tw>, relay=none, delay=1234, delays=978/226/30/0, dsn=4.4.1, status=deferred (connect to mail.tyai.tyc.edu.tw[60.250.229.252]:25: Connection timed out)
Sep  5 17:31:59 sage postfix/smtpd[28425]: NOQUEUE: reject: RCPT from 124-11-193-131.dynamic.tfn.net.tw[124.11.193.131]: 554 5.7.1 <natascha@mail.cpjh.tpc.edu.tw>: Relay access denied; from=<ayqjphahmcfkdtooi@wretch.twbbs.org> to=<natascha@mail.cpjh.tpc.edu.tw> proto=SMTP helo=<myip>
Sep  5 17:31:59 sage postfix/smtpd[28425]: NOQUEUE: reject: RCPT from 124-11-193-131.dynamic.tfn.net.tw[124.11.193.131]: 554 5.7.1 <iis-seminar@iis.sinica.edu.tw>: Relay access denied; from=<ayqjphahmcfkdtooi@wretch.twbbs.org> to=<iis-seminar@iis.sinica.edu.tw> proto=SMTP helo=<myip>
Sep  5 17:31:59 sage postfix/smtp[28225]: connect to mx1.url.com.tw[211.20.183.36]:25: Connection timed out
Sep  5 17:31:59 sage postfix/smtpd[28425]: NOQUEUE: reject: RCPT from 124-11-193-131.dynamic.tfn.net.tw[124.11.193.131]: 554 5.7.1 <a030023@apple.cmu.edu.tw>: Relay access denied; from=<ayqjphahmcfkdtooi@wretch.twbbs.org> to=<a030023@apple.cmu.edu.tw> proto=SMTP helo=<myip>
Sep  5 17:32:00 sage postfix/smtp[28175]: connect to ms23a.hinet.net[168.95.5.23]:25: Connection timed out
Sep  5 17:32:00 sage postfix/smtpd[28425]: NOQUEUE: reject: RCPT from 124-11-193-131.dynamic.tfn.net.tw[124.11.193.131]: 554 5.7.1 <sljh@ms2.sljh.tcc.edu.tw>: Relay access denied; from=<ayqjphahmcfkdtooi@wretch.twbbs.org> to=<sljh@ms2.sljh.tcc.edu.tw> proto=SMTP helo=<myip>
Sep  5 17:32:00 sage postfix/smtp[28175]: E8E0C46712: to=<atylor@ms23.hinet.net>, relay=none, delay=1234, delays=978/227/30/0, dsn=4.4.1, status=deferred (connect to ms23a.hinet.net[168.95.5.23]:25: Connection timed out)

As far as I can tell, the only common theme is that the requests originate from Taiwan. There are .gov.tw, .edu.tw, .com.tw -- the full spectrum.

What is going on, and how do I tell these people to leave me alone? I'd like to fix the problem to the point where this nonsense simply doesn't even show up in my logs. I am brand spanking new to mail server administration, and was not expecting this type of thing!

TB0ne · 09-06-2009, 08:55 AM

Quote:

Originally Posted by jhwilliams

Yesterday I setup a Postfix mail server on Debian Lenny, with TLS and basic (non-SASL) authentication. I was gone for a bit, and when I looked this evening, all hell had broken lose. mail.info, mail.err, syslog are all 15M in size with lines like the below:

As far as I can tell, the only common theme is that the requests originate from Taiwan. There are .gov.tw, .edu.tw, .com.tw -- the full spectrum.

What is going on, and how do I tell these people to leave me alone? I'd like to fix the problem to the point where this nonsense simply doesn't even show up in my logs. I am brand spanking new to mail server administration, and was not expecting this type of thing!

Tell them? Good luck...even if you did manage to get in touch with someone, they probably won't care.

The best thing I can suggest is to set up Postfix to not allow relays like you've got it now. These links:

http://www.postfix.org/SMTPD_ACCESS_README.html
http://www.postfix-jp.info/origdocs/antispam-en.html

These cover blacklists and friend-only relay setups. Basically, set up your postfix to only allow incoming mail from servers that YOU allow, and reject everything else. China and Taiwan are some of the biggest spam-email producers in the world, and like all spammers, look for open relay hosts to shovel out their emails.

kbp · 09-08-2009, 11:06 PM

Postfix also supports policy daemons, they can reduce your cpu and network overheads enormously as the connection can be dropped and the mail doesn't need to be accepted/processed

cheers

unixfool · 09-09-2009, 10:08 AM

I don't believe that his mail server is an open relay because each of his log entries provided by him state the following:

Relay access denied
Connection timed out

His issue is the fact that the relay attempts are being logged and an attempt at processing is made. An open relay would mean the relay attempts are successful.

Just clarifying...

CaptainInsane · 09-09-2009, 06:55 PM

Search for Fail2ban in the forums here. That might help you out.

unixfool · 09-10-2009, 07:24 AM

Quote:

Originally Posted by CaptainInsane

Search for Fail2ban in the forums here. That might help you out.

The connections are timing out and there is no mail being relayed, from looking at his log snippet. This is more a configuration issue than a security issue, IMO. He needs to find some way of blocking out all the spam mail attempts. I don't believe Fail2ban is designed to tackle his issue, but I may be wrong.

jhwilliams · 09-17-2009, 09:54 PM

Quote:

Originally Posted by CaptainInsane

Search for Fail2ban in the forums here. That might help you out.

Well, fail2ban is a good idea anyway. I think I can probably get it to help me out, too.

Smartpatrol · 09-17-2009, 10:22 PM

jhwilliams · 09-17-2009, 10:41 PM

Ah! Good idea.

Code:

ALL: .mil

;-)