mail hack attempts

[fordwrench]

I get thousounds of the following every day:

Aug 4 11:00:27 srv1 postfix/smtpd[27786]: connect from emark1.emservers.com[66.230.197.45]
Aug 4 11:00:27 srv1 postfix/smtpd[27786]: NOQUEUE: reject: RCPT from emark1.emservers.com[66.230.197.45]: 550 5.1.1 <mnmpmbgmofcc@rrmaps.com>: Recipient address rejected: User unknown in local recipient table; from=<> to=<mnmpmbgmofcc@rrmaps.com> proto=SMTP helo=<emark1.emservers.com>
Aug 4 11:00:27 srv1 postfix/smtpd[27786]: disconnect from emark1.emservers.com[66.230.197.45]
Aug 4 11:00:28 srv1 postfix/smtpd[28570]: warning: 219.141.253.249: hostname bj141-253-249.bjtelecom.net verification failed: Name or service not known
Aug 4 11:00:28 srv1 postfix/smtpd[28570]: connect from unknown[219.141.253.249]
Aug 4 11:00:29 srv1 postfix/smtpd[28570]: NOQUEUE: reject: RCPT from unknown[219.141.253.249]: 550 5.1.1 <vszmblpv@rrmaps.com>: Recipient address rejected: User unknown in local recipient table; from=<> to=<vszmblpv@rrmaps.com> proto=ESMTP helo=<mailex.cosco.com>
Aug 4 11:00:29 srv1 postfix/smtpd[28570]: disconnect from unknown[219.141.253.249]
Aug 4 11:00:34 srv1 postfix/smtpd[28353]: connect from cumeil13.prima.com.ar[200.42.0.139]


only to one site "rrmaps.com"

How can I stop this and also how can I stop for bounce mail that is more than a week or a few days old.

say if today is saturday the 4th...how do I bounce mail from two days ago.
or only within the 24 hr period preceding.

Tia

Fordwrench

[till]

It is normal that spammers try to send you emails to non existing eddresses, you can not do much against this. The lines above are no bounces, they tell you just that postfix rejected the emails, so there is nothing more that you must do. Message rejections normally do not generate bounce mails.

[fordwrench]

Ok so this is normal but I only get this on one site that has no email users.
I dont get any on other sites.

And maybe bounce is the wrong word...I want to reject emails that are more than a few day old. That is, I dont want to receive emails created more than a few days old. Is there a rule to set up for that.

Thanks

Fordwrench

[AlArenal]

Quote:

Originally Posted by fordwrench

Ok so this is normal but I only get this on one site that has no email users.
I dont get any on other sites.

First time someone complains about NOT receiving spam...

Quote:

And maybe bounce is the wrong word...I want to reject emails that are more than a few day old. That is, I dont want to receive emails created more than a few days old. Is there a rule to set up for that.

Who sends backdated mail?

[fordwrench]

Who sends backdated email?


Spammers!


Need some viagra?
Increase your manhood?
Best stock tips in town!
Best pharma website...


Spammers that is who sends backdated emails.

Fordwrench

[fordwrench]

I am not complaining about not receiving spam...I still receive spam.

I am saying that one site gets hit constantly and fills the log files with that crap.
No other sites get all that.
I have no email users on the site that this getting all the requests.

I want to know if there is a way to stop it.

I still get spam with the mail enhancements and rbls.
I am not a guru with this stuff I am trying to learn.
That is why I have a sub to this site and I read and read and read....
And when reading doesnt provide an answer I ask questions..

Fordwrench

[till]

Quote:

I want to reject emails that are more than a few day old.

The emails are already being rejected, that what the log file tells you. You can not reject a email twice when it has been already rejected because the email account does not exist.

Quote:

I want to know if there is a way to stop it.

No. And the emails are alredy rejected. It is normal that postfix logs its actions when it rejects a email.

[AlArenal]

Quote:

Originally Posted by fordwrench

I am not complaining about not receiving spam...I still receive spam.

I am saying that one site gets hit constantly and fills the log files with that crap.
No other sites get all that.
I have no email users on the site that this getting all the requests.

1. One day you WILL receive spam on the other domains as soon as one harvester gets aware of the domain. It's more a matter of when than if.
2. Spammers can't know whether or not a domain has email addresses configured or not and now spammer kindly asks you before sending out spam. As Till already said it's normal that spammers in some kind of brute-force-attempt try to find email accounts by creating randomized addresses. My logs are full of such addresses. Even these days a lot of people use catchall addresses and some addresses are common like info@, contact@, ... So this is a normal spammer's behaviour.

Quote:

I want to know if there is a way to stop it.

I still get spam with the mail enhancements and rbls.
I am not a guru with this stuff I am trying to learn.
That is why I have a sub to this site and I read and read and read....
And when reading doesnt provide an answer I ask questions..

We all receive spam. It's everywhere. Even the gurus receive spam. Right now there is no way to just "turn it off" without drawbacks (false negatives), other than pull the plug and disconnect

We all (as admins and users) have to learn to live with it the same way that software developers and their bosses and customers have to deal with bugs as part of their work and everyday life. There are ways to reduce spam (you can find them in the various tutorials on howtoforge), but you won't be able to stop spammers from ATTEMPTING to send spam to you. And that's part of what get's logged, the attempts...

[fordwrench]

Ok, this was actually two questions.

I understand the first answer, everyone gets this in the rejected messages because a spammer is trying to brute-force attack. That I understand.
I just thought maybe someone would have a solution to find who was doing this or whatever. End of that.


Part 2:

How do you reject messages with a date that is say 2 days earlier?
Now I have gotten some of these messages say from "1969". Is there some way to configure postfix so it will reject messages that are older than a certain time you set? So if the system time is 9:00pm on 08/05/07 and the email has a creation date of 08/02/07 or earlier it is rejected? Is there a way to do this?

By the way.

Thanks for all the feedback.

Fordwrench

[AlArenal]

Quote:

Originally Posted by fordwrench

Ok, this was actually two questions.

I understand the first answer, everyone gets this in the rejected messages because a spammer is trying to brute-force attack. That I understand.
I just thought maybe someone would have a solution to find who was doing this or whatever. End of that.

Spammers mostly use hijacked computers, so called zombies. Those form a so called bot network under the control of the spammer. They're doing their best to hide away from public.

Quote:

Part 2:

How do you reject messages with a date that is say 2 days earlier?
Now I have gotten some of these messages say from "1969". Is there some way to configure postfix so it will reject messages that are older than a certain time you set? So if the system time is 9:00pm on 08/05/07 and the email has a creation date of 08/02/07 or earlier it is rejected? Is there a way to do this?

Content checking isn't done in Postfix. You'd rather do it afterwards, e.g. in spamassassin. There should already be rules for such suspicious dates. Most of the times they are dated in the future, because then it gets listed atop all other mails in most users' mail clients.
You'd have to adjust the score for that rule in you spamassassin config, or write your own rule, or something like that.