#1  
Old 20th October 2010, 10:13
kings kings is offline
Member
 
Join Date: Aug 2009
Location: Bulgaria
Posts: 39
Thanks: 4
Thanked 0 Times in 0 Posts
Send a message via Skype™ to kings
Default Imergency Help please

For 3rd day only in 2 mail boxes in different mail server received e-mails from different sender as this:

"perekm-8@student.luth.se" <perekm-8@student.luth.se>. This and all others senders send anti federal tax mails.
I read all for this problem of this forum, but i not stop this:
I execute all advice of Till for this. After when I sent to this sender in info.log of mails i saw this:
Quote:
Oct 20 10:19:02 shvv postfix/qmgr[6682]: 055ED4C2AC9: from=<wispc@house-v.eu>, size=5157, nrcpt=1 (queue active)
Oct 20 10:19:23 shvv postfix/smtp[18419]: connect to eftps.gov[12.36.213.139]:25: Connection timed out
Oct 20 10:19:23 shvv postfix/smtp[18419]: 055ED4C2AC9: to=<customers0443@eftps.gov>, relay=none, delay=155970, delays=155949/0.03/21/0, dsn=4.4.1, status=deferred (connect to eftps.gov[12.36.213.139]:25: Connection timed out)


Generally of all sender that used eftps.gov!!!!

Unqoute!
In "local-host-names" and 'aliases" i have not changes for this!
When i run command: "dig MX house-v.eu in answer cection all is NORMAL:
;; ANSWER SECTION:
house-v.eu. 28800 IN MX 10 mail.house-v.eu.

;; Query time: 1131 msec
;; SERVER: 93.152.128.1#53(93.152.128.1)
;; WHEN: Wed Oct 20 10:09:32 2010
;; MSG SIZE rcvd: 49


Please help me to stop this.Where i tray to block this
Reply With Quote
Sponsored Links
  #2  
Old 20th October 2010, 10:53
damir damir is offline
Senior Member
 
Join Date: Jun 2006
Posts: 375
Thanks: 11
Thanked 51 Times in 42 Posts
Default

In your log there is following message:

(connect to eftps.gov[12.36.213.139]:25: Connection timed out)

wich means that port 25 is closed, where is your server located? Datacenter or home?
Reply With Quote
  #3  
Old 20th October 2010, 11:40
kings kings is offline
Member
 
Join Date: Aug 2009
Location: Bulgaria
Posts: 39
Thanks: 4
Thanked 0 Times in 0 Posts
Send a message via Skype™ to kings
Default to Damir -answer

1.Servers is my own;
2.As i sad this persist only two box in separated mail server on this server
3. on this server i have more of 10 e-mail servers;
4.I have problems only of these e-mail boxes and not any think;
5.All other boxes have not any problem to sent and read mails any where and any think;
6.this 2 e-mail sent all e-mail but only have problems with this i was wouted
7.At command dig MX those two server have not problems with ANSWER SECTIONS and have not problems with main.cfg , local-host-names,aliases and etc.

So that this hypothesis of port 25 is problematic.
When i run: telnet localhost 25
ALL works as need!

Last edited by kings; 20th October 2010 at 11:45.
Reply With Quote
  #4  
Old 20th October 2010, 12:18
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,034
Thanks: 265
Thanked 151 Times in 131 Posts
Default

Looks like the problem is at eftps.gov.
Port 25 is closed.
__________________
Never execute code written on a Friday or a Monday.
Reply With Quote
  #5  
Old 20th October 2010, 12:33
kings kings is offline
Member
 
Join Date: Aug 2009
Location: Bulgaria
Posts: 39
Thanks: 4
Thanked 0 Times in 0 Posts
Send a message via Skype™ to kings
Default To edge

Why i Receive this e-mails?
How to resolve problems?
Reply With Quote
  #6  
Old 21st October 2010, 14:56
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

These are spam mails. Why do you try to reply to them?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #7  
Old 21st October 2010, 15:32
kings kings is offline
Member
 
Join Date: Aug 2009
Location: Bulgaria
Posts: 39
Thanks: 4
Thanked 0 Times in 0 Posts
Send a message via Skype™ to kings
Default to Falko

I don't remember try or not.
But in spam tabes in ISPC2 for this e-mails i Put this address and as "name"@yahoo.com, *@yahoo.com and all possible in Black list box and discard spam .
Result is this ... all time.

I see that my server is attacked by open ports who i not open.
In moment i tray to close by firewall it?
Is i closing its I will be post result and IP address of all attackers!
Between when using firewall of ISPC 2 is posible to on one rows to write starting port address and final adress? As Example: 47000-50000
Or not
Reply With Quote
  #8  
Old 21st October 2010, 18:29
kings kings is offline
Member
 
Join Date: Aug 2009
Location: Bulgaria
Posts: 39
Thanks: 4
Thanked 0 Times in 0 Posts
Send a message via Skype™ to kings
Default As I promis

Hackers IP which generate spam
113.53.220.206
183.81.19.160
118.96.6.47
12.147.208.172
186.81.67.107
213.223.211.23
213.6.213.197
95.105.10.155
217.175.1.175
12.36.213.139
Reply With Quote
  #9  
Old 21st October 2010, 18:38
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,754
Thanks: 821
Thanked 5,331 Times in 4,183 Posts
Default

Hacks occurr normally from dynamic IP's or servers that are be misused by hackers and the oweners of these servers does not even know that. So posting these IP's does not really help as the servers might be cleaned already tomorrow or the dynamic IP is assigned to another computer a few hours later.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #10  
Old 22nd October 2010, 15:58
kings kings is offline
Member
 
Join Date: Aug 2009
Location: Bulgaria
Posts: 39
Thanks: 4
Thanked 0 Times in 0 Posts
Send a message via Skype™ to kings
 
Default To Till

Yes Till thats rights!
I do not contest this!
I want to share with all my try against hackers and spamers.
1.I have practice to put such addresses to my hosts.deny with this example:
ALL: 113.53.220.206: deny
2. When attack to my server is from one provider I block all as example:
113.53.220.207 or 113.54.220.206 in this case is very clear that from this address do not wait not good. Must be immediately block all from this address, etc.
ALL: 113.: deny
Usually all attack starting against SSH. In this case all times first blocker is file2ban. In my practice I immediately put this address in host.deny and Joomla sites - Ban IP Address. After than i restarting firewall and block this for ever, because those address in the hosts.deny.Well, this my tactics decrease risk and decrease my works.

Two times I was lazy ... Last before 4 days. and result is this. I need that do not more lazy.

3. I decide my problems with this my lapse with renaming this 2 email users, and renaming name user in this two sites. Good in this that this sites is my own. I not want to imagine what will be with me is site is a client!

4. Unpleasant in this story that i put this xxxxxx.xxxxx@yahoo.com in Spam in all e-mails, but attack is against to one separate user in Joomla site with he e-mail address. From this all I have one question why Spam in ISPConfig don"t block this addresses?

Please, Till explain for all users ISPConfig 2. Where is mistake to be not repeat it from anybody?

Excepting of all, I want to thanks of all users who try to help my of this situation!
Thank you !

Last edited by kings; 22nd October 2010 at 16:03.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 19:04.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.