LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 07-11-2008, 11:39 AM   #1
ragebot
Member
 
Registered: Jun 2008
Location: Devon, United Kingdom
Distribution: Slackware 12.1-current
Posts: 32

Rep: Reputation: 15
daily attacks from a spammer -


Hi everyone

Checking my mail logs, i keep seeing the same ip address trying to use my server to relay spam. Fortunately, their attempts have been blocked, but it's happening around the same time each day and it's really annoying.

Is there anything i can do to stop them?

Jamie
 
Old 07-11-2008, 11:48 AM   #2
ErV
Senior Member
 
Registered: Mar 2007
Location: Russia
Distribution: Slackware 12.2
Posts: 1,202
Blog Entries: 3

Rep: Reputation: 62
Quote:
Originally Posted by ragebot View Post
Hi everyone

Checking my mail logs, i keep seeing the same ip address trying to use my server to relay spam. Fortunately, their attempts have been blocked, but it's happening around the same time each day and it's really annoying.

Is there anything i can do to stop them?

Jamie
1) You can block address via iptables.
2) You can try to report abuse. whois ip_address might provide contact information for that purpose.
 
Old 07-11-2008, 01:25 PM   #3
ragebot
Member
 
Registered: Jun 2008
Location: Devon, United Kingdom
Distribution: Slackware 12.1-current
Posts: 32

Original Poster
Rep: Reputation: 15
ok, thank you.

done whois ip_address, and this is the information it gave:

Code:
whois 118.165.74.67
% [whois.apnic.net node-1]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:      118.160.0.0 - 118.167.255.255
netname:      HINET-NET
country:      TW
descr:        CHTD, Chunghwa Telecom Co.,Ltd.
descr:        Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
descr:        Taipei Taiwan 100
admin-c:      HN27-AP
tech-c:       HN28-AP
status:       ALLOCATED PORTABLE
mnt-by:       MAINT-TW-TWNIC
mnt-lower:    MAINT-TW-TWNIC
mnt-routes:   MAINT-TW-TWNIC
changed:      hm-changed@apnic.net 20071004
source:       APNIC

person:       HINET Network-Adm
address:      CHTD, Chunghwa Telecom Co., Ltd.
address:      Data-Bldg. 6F,  No. 21, Sec. 21, Hsin-Yi Rd.,
address:      Taipei Taiwan 100
country:      TW
phone:        +886 2 2322 3495
phone:        +886 2 2322 3442
phone:        +886 2 2344 3007
fax-no:       +886 2 2344 2513
fax-no:       +886 2 2395 5671
e-mail:       network-adm@hinet.net
nic-hdl:      HN27-AP
remarks:      same as TWNIC nic-handle HN184-TW
mnt-by:       MAINT-TW-TWNIC
changed:      hostmaster@twnic.net 20000721
source:       APNIC

person:       HINET Network-Center
address:      CHTD, Chunghwa Telecom Co., Ltd.
address:      Data-Bldg. 6F,  No. 21, Sec. 21, Hsin-Yi Rd.,
address:      Taipei Taiwan 100
country:      TW
phone:        +886 2 2322 3495
phone:        +886 2 2322 3442
phone:        +886 2 2344 3007
fax-no:       +886 2 2344 2513
fax-no:       +886 2 2395 5671
e-mail:       network-center@hinet.net
nic-hdl:      HN28-AP
remarks:      same as TWNIC nic-handle HN185-TW
mnt-by:       MAINT-TW-TWNIC
changed:      hostmaster@twnic.net 20000721
source:       APNIC

inetnum:      118.165.0.0 - 118.165.255.255
netname:      HINET-NET
descr:        Chunghwa Telecom Data Communication Business Group
descr:        Taipei Taiwan
country:      TW
admin-c:      HN184-TW
tech-c:       HN184-TW
mnt-by:       MAINT-TW-TWNIC
remarks:      This information has been partially mirrored by APNIC from
remarks:      TWNIC. To obtain more specific information, please use the
remarks:      TWNIC whois server at whois.twnic.net.
changed:      fkchung@ms1.hinet.net 20071004
status:       ASSIGNED NON-PORTABLE
source:       TWNIC

person:       HINET Network-Adm
address:      CHTD, Chunghwa Telecom Co., Ltd.
address:      Taipei Taiwan
e-mail:       network-adm@hinet.net
nic-hdl:      HN184-TW
changed:      hostmaster@twnic.net.tw20000721
source:       TWNIC
so how do i report them and to whom? (not done this before)

jamie
 
Old 07-11-2008, 02:32 PM   #4
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291
There's plenty of places, just search google, for example:
http://www.spamcop.net/
 
Old 07-11-2008, 04:26 PM   #5
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 62
Quote:
Originally Posted by ragebot View Post
Checking my mail logs, i keep seeing the same ip address trying to use my server to relay spam. Fortunately, their attempts have been blocked, but it's happening around the same time each day and it's really annoying.

Is there anything i can do to stop them?
Don't waste your time - your mail server is rejecting the attempt, and your log entries show that the mail server is doing the right thing.

Don't waste your time trying to report these - you'll be spending you life trying to stop millions of bot'd machines. That's a fools errand.

Go about your life, knowing that your mail server is working exactly as you want it to work.

Out of curiosity, which MTA are you using?
 
Old 07-11-2008, 05:24 PM   #6
ErV
Senior Member
 
Registered: Mar 2007
Location: Russia
Distribution: Slackware 12.2
Posts: 1,202
Blog Entries: 3

Rep: Reputation: 62
Quote:
Originally Posted by ragebot View Post
ok, thank you.

done whois ip_address, and this is the information it gave:
It doesn't have "report abuse" email ("abuse-mailbox:").
And it's in China. I think, this means that reaching someone to shutdown spammer might be problematic (i may be wrong).

So, I think your best bet will be to block IP or leave it to server, as Mr. C. suggested, unless this spammer eats all your bandwidth or something like that. It also makes sense to check spamcop link provided by H_TeXMeX_H, but I doubt that they'll shutdown offending machine.

Last edited by ErV; 07-11-2008 at 05:28 PM.
 
Old 07-11-2008, 05:36 PM   #7
ragebot
Member
 
Registered: Jun 2008
Location: Devon, United Kingdom
Distribution: Slackware 12.1-current
Posts: 32

Original Poster
Rep: Reputation: 15
Thanks guys. You're right, at least i know it's not getting through which is the main thing.

I'm using sendmail (came with Slack current).

Once or twice i can accept, it's just bothered me because it's the same person at least twice every day!

Jamie
 
Old 07-11-2008, 05:43 PM   #8
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 62
You'll have more and more over time. Relay attempts are far less common today, as mail servers are configured to not allow relaying by default. But all sorts of other attacks occur:

Code:
      94   Reject relay denied                        3.42%
     167   Reject HELO/EHLO                           6.07%
     573   Reject unknown user                       20.83%
    1320   Reject recipient address                  47.98%
      66   Reject sender address                      2.40%
     528   Reject client host                        19.19%
       1   Reject RBL                                 0.04%
       2   Reject header                              0.07%
--------   ------------------------------------------------
    2751   Total Rejects                            100.00%
========   ================================================
As you can see, relay attempts here only account for 3.42% of the total rejects.

It is most likely not a human, but a bot.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
injection attacks rockymaxsource Linux - Security 5 07-13-2007 02:50 AM
Advice? Best way to move files daily to a daily "date" named directory ziphem Linux - Newbie 2 04-15-2007 09:03 AM
Stop attacks from an IP clpl1980 Linux - Security 1 12-23-2006 12:17 PM
Hack attacks? satwar Linux - General 2 07-03-2003 03:44 PM
IP attacks sundarrnathan Linux - Security 1 06-04-2003 06:33 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 06:34 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration