LinuxQuestions.org - daily attacks from a spammer -

- Slackware (https://www.linuxquestions.org/questions/slackware-14/)

- - daily attacks from a spammer - (https://www.linuxquestions.org/questions/slackware-14/daily-attacks-from-a-spammer-655125/)

daily attacks from a spammer -

Hi everyone

Checking my mail logs, i keep seeing the same ip address trying to use my server to relay spam. Fortunately, their attempts have been blocked, but it's happening around the same time each day and it's really annoying.

Is there anything i can do to stop them?

Jamie

Quote:

Originally Posted by ragebot (Post 3211315)

1) You can block address via iptables.
2) You can try to report abuse. whois ip_address might provide contact information for that purpose.

ok, thank you.

done whois ip_address, and this is the information it gave:

Code:

whois 118.165.74.67

% [whois.apnic.net node-1]

% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html



inetnum:      118.160.0.0 - 118.167.255.255

netname:      HINET-NET

country:      TW

descr:        CHTD, Chunghwa Telecom Co.,Ltd.

descr:        Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.

descr:        Taipei Taiwan 100

admin-c:      HN27-AP

tech-c:      HN28-AP

status:      ALLOCATED PORTABLE

mnt-by:      MAINT-TW-TWNIC

mnt-lower:    MAINT-TW-TWNIC

mnt-routes:  MAINT-TW-TWNIC

changed:      hm-changed@apnic.net 20071004

source:      APNIC



person:      HINET Network-Adm

address:      CHTD, Chunghwa Telecom Co., Ltd.

address:      Data-Bldg. 6F,  No. 21, Sec. 21, Hsin-Yi Rd.,

address:      Taipei Taiwan 100

country:      TW

phone:        +886 2 2322 3495

phone:        +886 2 2322 3442

phone:        +886 2 2344 3007

fax-no:      +886 2 2344 2513

fax-no:      +886 2 2395 5671

e-mail:      network-adm@hinet.net

nic-hdl:      HN27-AP

remarks:      same as TWNIC nic-handle HN184-TW

mnt-by:      MAINT-TW-TWNIC

changed:      hostmaster@twnic.net 20000721

source:      APNIC



person:      HINET Network-Center

address:      CHTD, Chunghwa Telecom Co., Ltd.

address:      Data-Bldg. 6F,  No. 21, Sec. 21, Hsin-Yi Rd.,

address:      Taipei Taiwan 100

country:      TW

phone:        +886 2 2322 3495

phone:        +886 2 2322 3442

phone:        +886 2 2344 3007

fax-no:      +886 2 2344 2513

fax-no:      +886 2 2395 5671

e-mail:      network-center@hinet.net

nic-hdl:      HN28-AP

remarks:      same as TWNIC nic-handle HN185-TW

mnt-by:      MAINT-TW-TWNIC

changed:      hostmaster@twnic.net 20000721

source:      APNIC



inetnum:      118.165.0.0 - 118.165.255.255

netname:      HINET-NET

descr:        Chunghwa Telecom Data Communication Business Group

descr:        Taipei Taiwan

country:      TW

admin-c:      HN184-TW

tech-c:      HN184-TW

mnt-by:      MAINT-TW-TWNIC

remarks:      This information has been partially mirrored by APNIC from

remarks:      TWNIC. To obtain more specific information, please use the

remarks:      TWNIC whois server at whois.twnic.net.

changed:      fkchung@ms1.hinet.net 20071004

status:      ASSIGNED NON-PORTABLE

source:      TWNIC



person:      HINET Network-Adm

address:      CHTD, Chunghwa Telecom Co., Ltd.

address:      Taipei Taiwan

e-mail:      network-adm@hinet.net

nic-hdl:      HN184-TW

changed:      hostmaster@twnic.net.tw20000721

source:      TWNIC

so how do i report them and to whom? (not done this before)

jamie

There's plenty of places, just search google, for example:
http://www.spamcop.net/

Quote:

Originally Posted by ragebot (Post 3211315)

Checking my mail logs, i keep seeing the same ip address trying to use my server to relay spam. Fortunately, their attempts have been blocked, but it's happening around the same time each day and it's really annoying.

Is there anything i can do to stop them?

Don't waste your time - your mail server is rejecting the attempt, and your log entries show that the mail server is doing the right thing.

Don't waste your time trying to report these - you'll be spending you life trying to stop millions of bot'd machines. That's a fools errand.

Go about your life, knowing that your mail server is working exactly as you want it to work.

Out of curiosity, which MTA are you using?

Quote:

Originally Posted by ragebot (Post 3211409)

ok, thank you.

done whois ip_address, and this is the information it gave:

It doesn't have "report abuse" email ("abuse-mailbox:").
And it's in China. I think, this means that reaching someone to shutdown spammer might be problematic (i may be wrong).

So, I think your best bet will be to block IP or leave it to server, as Mr. C. suggested, unless this spammer eats all your bandwidth or something like that. It also makes sense to check spamcop link provided by H_TeXMeX_H, but I doubt that they'll shutdown offending machine.

Thanks guys. You're right, at least i know it's not getting through which is the main thing.

I'm using sendmail (came with Slack current).

Once or twice i can accept, it's just bothered me because it's the same person at least twice every day!

Jamie

You'll have more and more over time. Relay attempts are far less common today, as mail servers are configured to not allow relaying by default. But all sorts of other attacks occur:

Code:

      94  Reject relay denied                        3.42%

    167  Reject HELO/EHLO                          6.07%

    573  Reject unknown user                      20.83%

    1320  Reject recipient address                  47.98%

      66  Reject sender address                      2.40%

    528  Reject client host                        19.19%

      1  Reject RBL                                0.04%

      2  Reject header                              0.07%

--------  ------------------------------------------------

    2751  Total Rejects                            100.00%

========  ================================================

As you can see, relay attempts here only account for 3.42% of the total rejects.

It is most likely not a human, but a bot.