pretty sure my mail server is being spam-assaulted... worry?

psycroptic · 09-01-2013, 11:43 PM

Bear in mind that i've had a working mail server for ~2 months, so i'm new at it.

It's postfix running on a linux desktop behind a router. For the past 30 minutes, i'm getting a barrage of packets showing up in logs like so:

Code:

Sep 01 23:15:54 MAILSERVERNAME postfix/smtpd[736]: connect from 214.Red-80-33-151.staticIP.rima-tde.net[80.33.151.214]
Sep 01 23:15:55 MAILSERVERNAME postfix/smtpd[738]: connect from 214.Red-80-33-151.staticIP.rima-tde.net[80.33.151.214]
Sep 01 23:15:55 MAILSERVERNAME postfix/smtpd[741]: connect from 214.Red-80-33-151.staticIP.rima-tde.net[80.33.151.214]
Sep 01 23:15:56 MAILSERVERNAME postfix/smtpd[740]: connect from 214.Red-80-33-151.staticIP.rima-tde.net[80.33.151.214]
Sep 01 23:15:57 MAILSERVERNAME postfix/smtpd[730]: connect from 214.Red-80-33-151.staticIP.rima-tde.net[80.33.151.214]
Sep 01 23:15:57 MAILSERVERNAME postfix/smtpd[730]: warning: Connection rate limit exceeded: 16 from 214.Red-80-33-151.staticIP.rima-tde.net[80.33.151.214] for service smtp
Sep 01 23:15:57 MAILSERVERNAME postfix/smtpd[730]: disconnect from 214.Red-80-33-151.staticIP.rima-tde.net[80.33.151.214]
Sep 01 23:15:57 MAILSERVERNAME postfix/smtpd[744]: connect from 214.Red-80-33-151.staticIP.rima-tde.net[80.33.151.214]
Sep 01 23:15:57 MAILSERVERNAME postfix/smtpd[744]: warning: Connection rate limit exceeded: 17 from 214.Red-80-33-151.staticIP.rima-tde.net[80.33.151.214] for service smtp
Sep 01 23:15:57 MAILSERVERNAME postfix/smtpd[744]: disconnect from 214.Red-80-33-151.staticIP.rima-tde.net[80.33.151.214]
Sep 01 23:15:58 MAILSERVERNAME postfix/smtpd[734]: lost connection after AUTH from 214.Red-80-33-151.staticIP.rima-tde.net[80.33.151.214]
Sep 01 23:15:58 MAILSERVERNAME postfix/smtpd[734]: disconnect from 214.Red-80-33-151.staticIP.rima-tde.net[80.33.151.214]
Sep 01 23:15:58 MAILSERVERNAME postfix/smtpd[735]: lost connection after AUTH from 214.Red-80-33-151.staticIP.rima-tde.net[80.33.151.214]
Sep 01 23:15:58 MAILSERVERNAME postfix/smtpd[735]: disconnect from 214.Red-80-33-151.staticIP.rima-tde.net[80.33.151.214]
Sep 01 23:15:58 MAILSERVERNAME postfix/smtpd[736]: lost connection after AUTH from 214.Red-80-33-151.staticIP.rima-tde.net[80.33.151.214]

I have a connection limit of 15/minute/ip as it's just a personal server with 2 accounts, and i can see that it's being maxed out. In fact, at the moment it's currentl 478 past 15 from this 1 ip. I eventually just set up an iptables rule on the mail server that drops packets with source 80.33.151.214.

So is this something I should worry about? Can i maybe contact whoever is the ISP for this address to maybe get them to stop?

JJJCR · 09-02-2013, 01:36 AM

block those ip address from your firewall..

block the range or just the IP ..check out this one -->http://www.linuxquestions.org/questi...tables-469432/

change your password..to make sure..

Berhanie · 09-02-2013, 03:14 AM

you can query an RBL as part of your smtpd_*_restrictions. Notice that the problem IP address is listed on spamhaus. example:

Code:

smtpd_client_restrictions =
  permit_mynetworks
  permit_sasl_authenticated
  reject_rbl_client zen.spamhaus.org

edit:
i just took a closer look at the logs you posted. it's not a spam issue in the mail spam sense.
for mail spam, rbls are useful. they wouldn't be very useful against a client that just tries to open
many connections, but you should read about smtpd_delay_reject. i wouldn't worry about a misbehaving
client unless it's affecting the machine's resources, which i think is not the case for you. i've had success
reporting clients to U.S.-based ISPs; not sure what would happen elsewhere. the IP in question is in spain.

psycroptic · 09-02-2013, 11:00 AM

Quote:

Originally Posted by Berhanie

you can query an RBL as part of your smtpd_*_restrictions. Notice that the problem IP address is listed on spamhaus. example:

Code:

smtpd_client_restrictions =
  permit_mynetworks
  permit_sasl_authenticated
  reject_rbl_client zen.spamhaus.org

edit:
i just took a closer look at the logs you posted. it's not a spam issue in the mail spam sense.
for mail spam, rbls are useful. they wouldn't be very useful against a client that just tries to open
many connections, but you should read about smtpd_delay_reject. i wouldn't worry about a misbehaving
client unless it's affecting the machine's resources, which i think is not the case for you. i've had success
reporting clients to U.S.-based ISPs; not sure what would happen elsewhere. the IP in question is in spain.

i actually contacted the isp (telefonica de espana) and they said they would need full contents of the actual spam message (which of course i'm not going to allow relayed through my server). i'll look into spamhaus; though personally i'm not a huge fan of their extortion-like method of business. it's not really affecting my machine much. smtpd_delay_reject looks valuable

Berhanie · 09-02-2013, 10:33 PM

Quote:

i actually contacted the isp (telefonica de espana) and they said they would need full contents of the actual spam message

mmm. maybe you shouldn't have used the word "spam". i would have said that the client is opening spurious connections and trying to guess passwords / authenticate, and then included a section of the log, something like what you posted.

psycroptic · 09-02-2013, 10:40 PM

Quote:

Originally Posted by Berhanie

mmm. maybe you shouldn't have used the word "spam". i would have said that the client is opening spurious connections and trying to guess passwords / authenticate, and then included a section of the log, something like what you posted.

even though that's OBVIOUSLY what they're doing?

whatevs, i've messaged them again to clarify. who knows...