View Single Post
  #1  
Old 28th March 2013, 18:52
arraken arraken is offline
Senior Member
 
Join Date: Mar 2010
Posts: 106
Thanks: 17
Thanked 5 Times in 5 Posts
Exclamation postfix DoS Spam attack

Hi guys!

I'm having a serious problem with my mailserver. It seems there is some kind of DoS or Spam attack running, which is nearly crashing the whole server. Some days ago we had a DoS attack on apache (40+ requests to one site per second from one ip), and now it's starting on the mailserver.

It seems to originate from an single ip, if i'm not mistaken. If I do run the command "tail -f /var/log/mail.log | grep 1.2.3.4" I get the following output:

Code:
Mar 28 17:37:01 server1 postfix/smtpd[2413]: 715002530564: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:01 server1 postfix/smtpd[2423]: 77E012530565: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:01 server1 postfix/smtpd[2512]: E53542530413: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:02 server1 amavis[1871]: (01871-03-4) Passed BAD-HEADER, [1.2.3.4] [1.2.3.4] <etzsthbyquxte@yahoo.com> -> <3390@yahoo.com.tw>,<34dn@yahoo.com.tw>,<430j@yahoo.c                                                       om.tw>,<486y@yahoo.com.tw>,<6nob@yahoo.com.tw>,<a0937736793@yahoo.com.tw>,<a855151151@yahoo.com.tw>,<aaajoe1207@yahoo.com.tw>,<azero0831@yahoo.com.tw>,<bawea@yahoo.com.tw>,<c0762@yah                                                       oo.com.tw>,<ccty218@yahoo.com.tw>,<cids75@yahoo.com.tw>,<clot0955@yahoo.com.tw>,<digev@yahoo.com.tw>,<downright@yahoo.com.tw>,<e31310@yahoo.com.tw>,<fingersob@yahoo.com.tw>,<greatest                                                       _club7@yahoo.com.tw>,<kikocc2005@yahoo.com.tw>,<myanmarfuturegenerations@yahoo.com.tw>,<ritsukoaizawa@yahoo.com.tw>, quarantine: X/badh-XPAn+KjwcGjn, Message-ID: <IUHTZUPJBXXGZAGGBWH                                                       Z@yahoo.com>, mail_id: XPAn+KjwcGjn, Hits: 29.032, size: 5547, queued_as: 77E182530566, 4413 ms
Mar 28 17:37:04 server1 postfix/smtpd[2512]: 7F0DA21B112F: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:04 server1 postfix/smtpd[2423]: 7F17B25303C4: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:04 server1 postfix/smtpd[2413]: 803D22530568: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:05 server1 postfix/smtpd[2708]: warning: 1.2.3.4: address not listed for hostname email.DomainOnMyServer.at
Mar 28 17:37:05 server1 postfix/smtpd[2708]: connect from unknown[1.2.3.4]
Mar 28 17:37:05 server1 amavis[1870]: (01870-03-13) Passed BAD-HEADER, [1.2.3.4] [75.116.26.152] <ljbpzsbqrqzkx@yahoo.com> -> <gdccu@yahoo.com.tw>, quarantine: j/badh-jLp6v1RP31                                                       FB, Message-ID: <UFCEFYPRWNNJJWDLBKLI@yahoo.com>, mail_id: jLp6v1RP31FB, Hits: 28.97, size: 5545, queued_as: B476F2530569, 2765 ms
Mar 28 17:37:06 server1 postfix/smtpd[2708]: 5EEF92331F5D: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2423]: 7897B253056B: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2413]: 789E0253056C: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2512]: 79B99253056D: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2708]: 7A618253056E: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 amavis[1871]: (01871-03-5) Passed BAD-HEADER, [1.2.3.4] [185.248.120.84] <njzbxiaa@yahoo.com> -> <miffy.0311@kimo.com>,<helen0801@yahoo.com.tw>,<johnsonp                                                       @yahoo.com.tw>,<k4682t@yahoo.com.tw>,<laiju2421@yahoo.com.tw>,<leizikong@yahoo.com.tw>,<leo1966leo@yahoo.com.tw>,<lewell@yahoo.com.tw>,<lwt1970@yahoo.com.tw>,<ml_ngan@yahoo.com.tw>,<                                                       mung-bean-paste@yahoo.com.tw>,<nan2223@yahoo.com.tw>,<niokei@yahoo.com.tw>,<p0936069@yahoo.com.tw>,<sm135ok@yahoo.com.tw>, quarantine: B/badh-BWzuYpe8ThAM, Message-ID: <BUDYAWCSBBNEN                                                       TIUQCKEISDXZ@yahoo.com>, mail_id: BWzuYpe8ThAM, Hits: 29.469, size: 6527, queued_as: 77FB4253056A, 5424 ms
Mar 28 17:37:08 server1 postfix/smtpd[2512]: A4E29253056F: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2423]: A732B2530570: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2413]: ADFFE2530571: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2708]: EAC6C2530572: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2413]: EAC8C2530573: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:10 server1 postfix/smtpd[2423]: 69F422530575: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:10 server1 postfix/smtpd[2512]: E010A2530576: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:10 server1 postfix/smtpd[2708]: E0FE62530578: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:12 server1 amavis[1870]: (01870-03-14) Passed BAD-HEADER, [1.2.3.4] [1.2.3.4] <slbburxoarum@yahoo.com> -> <a0926298122@yahoo.com.tw>,<a223542804@yahoo.com.tw>,

as you can see, this is the output of only a few seconds.

Last edited by arraken; 30th March 2013 at 11:27.
Reply With Quote
Sponsored Links