Prev Previous Post   Next Post Next
  #1  
Old 28th March 2013, 17:52
arraken arraken is offline
Member
 
Join Date: Mar 2010
Posts: 95
Thanks: 15
Thanked 3 Times in 3 Posts
Exclamation postfix DoS Spam attack

Hi guys!

I'm having a serious problem with my mailserver. It seems there is some kind of DoS or Spam attack running, which is nearly crashing the whole server. Some days ago we had a DoS attack on apache (40+ requests to one site per second from one ip), and now it's starting on the mailserver.

It seems to originate from an single ip, if i'm not mistaken. If I do run the command "tail -f /var/log/mail.log | grep 1.2.3.4" I get the following output:

Code:
Mar 28 17:37:01 server1 postfix/smtpd[2413]: 715002530564: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:01 server1 postfix/smtpd[2423]: 77E012530565: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:01 server1 postfix/smtpd[2512]: E53542530413: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:02 server1 amavis[1871]: (01871-03-4) Passed BAD-HEADER, [1.2.3.4] [1.2.3.4] <etzsthbyquxte@yahoo.com> -> <3390@yahoo.com.tw>,<34dn@yahoo.com.tw>,<430j@yahoo.c                                                       om.tw>,<486y@yahoo.com.tw>,<6nob@yahoo.com.tw>,<a0937736793@yahoo.com.tw>,<a855151151@yahoo.com.tw>,<aaajoe1207@yahoo.com.tw>,<azero0831@yahoo.com.tw>,<bawea@yahoo.com.tw>,<c0762@yah                                                       oo.com.tw>,<ccty218@yahoo.com.tw>,<cids75@yahoo.com.tw>,<clot0955@yahoo.com.tw>,<digev@yahoo.com.tw>,<downright@yahoo.com.tw>,<e31310@yahoo.com.tw>,<fingersob@yahoo.com.tw>,<greatest                                                       _club7@yahoo.com.tw>,<kikocc2005@yahoo.com.tw>,<myanmarfuturegenerations@yahoo.com.tw>,<ritsukoaizawa@yahoo.com.tw>, quarantine: X/badh-XPAn+KjwcGjn, Message-ID: <IUHTZUPJBXXGZAGGBWH                                                       Z@yahoo.com>, mail_id: XPAn+KjwcGjn, Hits: 29.032, size: 5547, queued_as: 77E182530566, 4413 ms
Mar 28 17:37:04 server1 postfix/smtpd[2512]: 7F0DA21B112F: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:04 server1 postfix/smtpd[2423]: 7F17B25303C4: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:04 server1 postfix/smtpd[2413]: 803D22530568: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:05 server1 postfix/smtpd[2708]: warning: 1.2.3.4: address not listed for hostname email.DomainOnMyServer.at
Mar 28 17:37:05 server1 postfix/smtpd[2708]: connect from unknown[1.2.3.4]
Mar 28 17:37:05 server1 amavis[1870]: (01870-03-13) Passed BAD-HEADER, [1.2.3.4] [75.116.26.152] <ljbpzsbqrqzkx@yahoo.com> -> <gdccu@yahoo.com.tw>, quarantine: j/badh-jLp6v1RP31                                                       FB, Message-ID: <UFCEFYPRWNNJJWDLBKLI@yahoo.com>, mail_id: jLp6v1RP31FB, Hits: 28.97, size: 5545, queued_as: B476F2530569, 2765 ms
Mar 28 17:37:06 server1 postfix/smtpd[2708]: 5EEF92331F5D: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2423]: 7897B253056B: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2413]: 789E0253056C: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2512]: 79B99253056D: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2708]: 7A618253056E: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 amavis[1871]: (01871-03-5) Passed BAD-HEADER, [1.2.3.4] [185.248.120.84] <njzbxiaa@yahoo.com> -> <miffy.0311@kimo.com>,<helen0801@yahoo.com.tw>,<johnsonp                                                       @yahoo.com.tw>,<k4682t@yahoo.com.tw>,<laiju2421@yahoo.com.tw>,<leizikong@yahoo.com.tw>,<leo1966leo@yahoo.com.tw>,<lewell@yahoo.com.tw>,<lwt1970@yahoo.com.tw>,<ml_ngan@yahoo.com.tw>,<                                                       mung-bean-paste@yahoo.com.tw>,<nan2223@yahoo.com.tw>,<niokei@yahoo.com.tw>,<p0936069@yahoo.com.tw>,<sm135ok@yahoo.com.tw>, quarantine: B/badh-BWzuYpe8ThAM, Message-ID: <BUDYAWCSBBNEN                                                       TIUQCKEISDXZ@yahoo.com>, mail_id: BWzuYpe8ThAM, Hits: 29.469, size: 6527, queued_as: 77FB4253056A, 5424 ms
Mar 28 17:37:08 server1 postfix/smtpd[2512]: A4E29253056F: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2423]: A732B2530570: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2413]: ADFFE2530571: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2708]: EAC6C2530572: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2413]: EAC8C2530573: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:10 server1 postfix/smtpd[2423]: 69F422530575: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:10 server1 postfix/smtpd[2512]: E010A2530576: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:10 server1 postfix/smtpd[2708]: E0FE62530578: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:12 server1 amavis[1870]: (01870-03-14) Passed BAD-HEADER, [1.2.3.4] [1.2.3.4] <slbburxoarum@yahoo.com> -> <a0926298122@yahoo.com.tw>,<a223542804@yahoo.com.tw>,

as you can see, this is the output of only a few seconds.

Last edited by arraken; 30th March 2013 at 10:27.
Reply With Quote
Sponsored Links
 

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Getting Email Working ISPConfig3 Squirrelmail and Courier etc Ian Wilson Installation/Configuration 17 19th June 2013 22:58
Postfix SMTP Auth to Dovecot Not Working -- HELP! Scratchpad Server Operation 6 12th April 2011 13:29
Ubuntu 8.04 Spamsnake - all SA scores 0.00 Thomas_Powers HOWTO-Related Questions 23 24th June 2008 17:37
Centos 4.4 32bit Hangs, High Server load 3cwired_com Server Operation 11 16th November 2006 15:47
Verify email setup meekish Installation/Configuration 28 27th October 2006 15:36


All times are GMT +2. The time now is 14:21.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.