Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 4th August 2007, 18:03
fordwrench fordwrench is offline
Member
 
Join Date: Apr 2007
Posts: 58
Thanks: 6
Thanked 4 Times in 2 Posts
Default mail hack attempts

I get thousounds of the following every day:

Aug 4 11:00:27 srv1 postfix/smtpd[27786]: connect from emark1.emservers.com[66.230.197.45]
Aug 4 11:00:27 srv1 postfix/smtpd[27786]: NOQUEUE: reject: RCPT from emark1.emservers.com[66.230.197.45]: 550 5.1.1 <mnmpmbgmofcc@rrmaps.com>: Recipient address rejected: User unknown in local recipient table; from=<> to=<mnmpmbgmofcc@rrmaps.com> proto=SMTP helo=<emark1.emservers.com>
Aug 4 11:00:27 srv1 postfix/smtpd[27786]: disconnect from emark1.emservers.com[66.230.197.45]
Aug 4 11:00:28 srv1 postfix/smtpd[28570]: warning: 219.141.253.249: hostname bj141-253-249.bjtelecom.net verification failed: Name or service not known
Aug 4 11:00:28 srv1 postfix/smtpd[28570]: connect from unknown[219.141.253.249]
Aug 4 11:00:29 srv1 postfix/smtpd[28570]: NOQUEUE: reject: RCPT from unknown[219.141.253.249]: 550 5.1.1 <vszmblpv@rrmaps.com>: Recipient address rejected: User unknown in local recipient table; from=<> to=<vszmblpv@rrmaps.com> proto=ESMTP helo=<mailex.cosco.com>
Aug 4 11:00:29 srv1 postfix/smtpd[28570]: disconnect from unknown[219.141.253.249]
Aug 4 11:00:34 srv1 postfix/smtpd[28353]: connect from cumeil13.prima.com.ar[200.42.0.139]


only to one site "rrmaps.com"

How can I stop this and also how can I stop for bounce mail that is more than a week or a few days old.

say if today is saturday the 4th...how do I bounce mail from two days ago.
or only within the 24 hr period preceding.

Tia

Fordwrench
Reply With Quote
Sponsored Links
  #2  
Old 5th August 2007, 09:04
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,011
Thanks: 826
Thanked 5,378 Times in 4,225 Posts
Default

It is normal that spammers try to send you emails to non existing eddresses, you can not do much against this. The lines above are no bounces, they tell you just that postfix rejected the emails, so there is nothing more that you must do. Message rejections normally do not generate bounce mails.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 5th August 2007, 23:46
fordwrench fordwrench is offline
Member
 
Join Date: Apr 2007
Posts: 58
Thanks: 6
Thanked 4 Times in 2 Posts
Default

Ok so this is normal but I only get this on one site that has no email users.
I dont get any on other sites.

And maybe bounce is the wrong word...I want to reject emails that are more than a few day old. That is, I dont want to receive emails created more than a few days old. Is there a rule to set up for that.

Thanks

Fordwrench
Reply With Quote
  #4  
Old 5th August 2007, 23:54
AlArenal AlArenal is offline
Senior Member
 
Join Date: Feb 2007
Location: Germany
Posts: 104
Thanks: 1
Thanked 5 Times in 5 Posts
Default

Quote:
Originally Posted by fordwrench
Ok so this is normal but I only get this on one site that has no email users.
I dont get any on other sites.
First time someone complains about NOT receiving spam...

Quote:
And maybe bounce is the wrong word...I want to reject emails that are more than a few day old. That is, I dont want to receive emails created more than a few days old. Is there a rule to set up for that.
Who sends backdated mail?
Reply With Quote
  #5  
Old 6th August 2007, 05:40
fordwrench fordwrench is offline
Member
 
Join Date: Apr 2007
Posts: 58
Thanks: 6
Thanked 4 Times in 2 Posts
Default

Who sends backdated email?


Spammers!


Need some viagra?
Increase your manhood?
Best stock tips in town!
Best pharma website...


Spammers that is who sends backdated emails.

Fordwrench
Reply With Quote
  #6  
Old 6th August 2007, 05:47
fordwrench fordwrench is offline
Member
 
Join Date: Apr 2007
Posts: 58
Thanks: 6
Thanked 4 Times in 2 Posts
Default

I am not complaining about not receiving spam...I still receive spam.

I am saying that one site gets hit constantly and fills the log files with that crap.
No other sites get all that.
I have no email users on the site that this getting all the requests.

I want to know if there is a way to stop it.

I still get spam with the mail enhancements and rbls.
I am not a guru with this stuff I am trying to learn.
That is why I have a sub to this site and I read and read and read....
And when reading doesnt provide an answer I ask questions..

Fordwrench
Reply With Quote
  #7  
Old 6th August 2007, 08:58
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,011
Thanks: 826
Thanked 5,378 Times in 4,225 Posts
Default

Quote:
I want to reject emails that are more than a few day old.
The emails are already being rejected, that what the log file tells you. You can not reject a email twice when it has been already rejected because the email account does not exist.

Quote:
I want to know if there is a way to stop it.
No. And the emails are alredy rejected. It is normal that postfix logs its actions when it rejects a email.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #8  
Old 6th August 2007, 09:48
AlArenal AlArenal is offline
Senior Member
 
Join Date: Feb 2007
Location: Germany
Posts: 104
Thanks: 1
Thanked 5 Times in 5 Posts
Default

Quote:
Originally Posted by fordwrench
I am not complaining about not receiving spam...I still receive spam.

I am saying that one site gets hit constantly and fills the log files with that crap.
No other sites get all that.
I have no email users on the site that this getting all the requests.
1. One day you WILL receive spam on the other domains as soon as one harvester gets aware of the domain. It's more a matter of when than if.
2. Spammers can't know whether or not a domain has email addresses configured or not and now spammer kindly asks you before sending out spam. As Till already said it's normal that spammers in some kind of brute-force-attempt try to find email accounts by creating randomized addresses. My logs are full of such addresses. Even these days a lot of people use catchall addresses and some addresses are common like info@, contact@, ... So this is a normal spammer's behaviour.

Quote:
I want to know if there is a way to stop it.

I still get spam with the mail enhancements and rbls.
I am not a guru with this stuff I am trying to learn.
That is why I have a sub to this site and I read and read and read....
And when reading doesnt provide an answer I ask questions..
We all receive spam. It's everywhere. Even the gurus receive spam. Right now there is no way to just "turn it off" without drawbacks (false negatives), other than pull the plug and disconnect

We all (as admins and users) have to learn to live with it the same way that software developers and their bosses and customers have to deal with bugs as part of their work and everyday life. There are ways to reduce spam (you can find them in the various tutorials on howtoforge), but you won't be able to stop spammers from ATTEMPTING to send spam to you. And that's part of what get's logged, the attempts...
Reply With Quote
  #9  
Old 6th August 2007, 11:43
fordwrench fordwrench is offline
Member
 
Join Date: Apr 2007
Posts: 58
Thanks: 6
Thanked 4 Times in 2 Posts
Default

Ok, this was actually two questions.

I understand the first answer, everyone gets this in the rejected messages because a spammer is trying to brute-force attack. That I understand.
I just thought maybe someone would have a solution to find who was doing this or whatever. End of that.


Part 2:

How do you reject messages with a date that is say 2 days earlier?
Now I have gotten some of these messages say from "1969". Is there some way to configure postfix so it will reject messages that are older than a certain time you set? So if the system time is 9:00pm on 08/05/07 and the email has a creation date of 08/02/07 or earlier it is rejected? Is there a way to do this?

By the way.

Thanks for all the feedback.

Fordwrench
Reply With Quote
  #10  
Old 6th August 2007, 11:58
AlArenal AlArenal is offline
Senior Member
 
Join Date: Feb 2007
Location: Germany
Posts: 104
Thanks: 1
Thanked 5 Times in 5 Posts
 
Default

Quote:
Originally Posted by fordwrench
Ok, this was actually two questions.

I understand the first answer, everyone gets this in the rejected messages because a spammer is trying to brute-force attack. That I understand.
I just thought maybe someone would have a solution to find who was doing this or whatever. End of that.
Spammers mostly use hijacked computers, so called zombies. Those form a so called bot network under the control of the spammer. They're doing their best to hide away from public.


Quote:
Part 2:

How do you reject messages with a date that is say 2 days earlier?
Now I have gotten some of these messages say from "1969". Is there some way to configure postfix so it will reject messages that are older than a certain time you set? So if the system time is 9:00pm on 08/05/07 and the email has a creation date of 08/02/07 or earlier it is rejected? Is there a way to do this?
Content checking isn't done in Postfix. You'd rather do it afterwards, e.g. in spamassassin. There should already be rules for such suspicious dates. Most of the times they are dated in the future, because then it gets listed atop all other mails in most users' mail clients.
You'd have to adjust the score for that rule in you spamassassin config, or write your own rule, or something like that.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix & mail forwarding loop varnik Server Operation 21 9th December 2008 15:13
Postfix reject connections gabrix Server Operation 27 25th January 2007 08:37
postfix-tls sasl2 mysql courier-authmysql gabrix Server Operation 4 12th January 2007 22:09
Core 4: Error Messages on Fresh Install re CTX/SSL jjw Installation/Configuration 30 6th September 2006 12:16
Virtual Users And Domains With Postfix, Courier And MySQL (+ SMTP-AUTH, Quota, SpamAs ebbay Installation/Configuration 9 4th March 2006 11:47


All times are GMT +2. The time now is 12:26.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.