Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 21st March 2013, 15:38
marcosouza marcosouza is offline
Junior Member
 
Join Date: Mar 2013
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Unhappy An annoying IP, IPTABLES can´t block it!

Hi friends!

My mail server is Postfix and sometimes, someone is trying to use my smtp to send spam emails.
I have used iptables and fail2ban to solve this cases, and i´m always reading the mail log to see any suspicious connections, using iptables commands manually to ban these annoying spammers.
but the last one is very persistent! Even with several commands in iptables including output and input rules to drop it, the connections attempts was not blocked!

The mail log is still like bellow:

Mar 21 09:04:50 fixoterm postfix/qmgr[28504]: 54746F87805E: from=<www-data@fixoterm.com>, size=878, nrcpt=1 (queue active)
Mar 21 09:04:50 fixoterm postfix/qmgr[28504]: 3BF3CF87806F: from=<www-data@fixoterm.com>, size=810, nrcpt=1 (queue active)
Mar 21 09:04:50 fixoterm postfix/qmgr[28504]: 94802F87806C: from=<www-data@fixoterm.com>, size=958, nrcpt=1 (queue active)
Mar 21 09:04:50 fixoterm postfix/smtp[32720]: connect to testingemail.com[208.87.35.103]:25: Network is unreachable
Mar 21 09:04:50 fixoterm postfix/smtp[32744]: connect to testingemail.com[208.87.35.103]:25: Network is unreachable
Mar 21 09:04:50 fixoterm postfix/smtp[32731]: connect to testingemail.com[208.87.35.103]:25: Network is unreachable
Mar 21 09:04:50 fixoterm postfix/smtp[32720]: 54746F87805E: to=<test@testingemail.com>, relay=none, delay=66584, delays=66584/0.11/0.19/0, dsn=4.4.1, status=deferred (connect to testingemail.com[208.87.35.103]:25: Network is unreachable)
Mar 21 09:04:50 fixoterm postfix/smtp[32731]: 3BF3CF87806F: to=<test@testingemail.com>, relay=none, delay=60703, delays=60702/0.02/0.21/0, dsn=4.4.1, status=deferred (connect to testingemail.com[208.87.35.103]:25: Network is unreachable)
Mar 21 09:04:50 fixoterm postfix/smtp[32744]: 94802F87806C: to=<test@testingemail.com>, relay=none, delay=66549, delays=66549/0.04/0.13/0, dsn=4.4.1, status=deferred (connect to testingemail.com[208.87.35.103]:25: Network is unreachable)
Mar 21 09:05:51 fixoterm postfix/anvil[32707]: statistics: max connection rate 1/60s for (smtp:209.85.215.41) at Mar 21 09:02:28
Mar 21 09:05:51 fixoterm postfix/anvil[32707]: statistics: max connection count 1 for (smtp:209.85.215.41) at Mar 21 09:02:28
Mar 21 09:05:51 fixoterm postfix/anvil[32707]: statistics: max cache size 1 at Mar 21 09:02:28
-------------------------------------------------------------------------

Even with network unreachable status, this annoying ip testingemail.com [208.87.35.103] is trying to connect to my smtp server!
I have used iptables and route commands to block it but no success until now =/

That server (testingdomain.com) was trying to use my php mail functions from php files present on my server to send the emails, i discovered and commented these lines from the mail function and this issue was solved.

I have made an ip lookup to 208.87.35.103 and this is an inconsistent ip.
what this means?

Maybe my server have a script running to do this connection attempts?
This is a backscatterer?

Thanks for your attention!

Regards
Reply With Quote
Sponsored Links
  #2  
Old 23rd March 2013, 18:42
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

Quote:
Originally Posted by marcosouza View Post
Even with network unreachable status, this annoying ip testingemail.com [208.87.35.103] is trying to connect to my smtp server!
I have used iptables and route commands to block it but no success until now =/
No, it's the other way round: your server is trying to connect to testingemail.com [208.87.35.103].
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 24th March 2013, 05:58
marcosouza marcosouza is offline
Junior Member
 
Join Date: Mar 2013
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
 
Question

yep, but why this is happening?

Its possible due to a postfix queue?
I noticed my server finally stopped trying to make those connections!

Thanks!
Reply With Quote
Reply

Bookmarks

Tags
backscatterer, fail2ban postfix spam, iptables, postfix, spam mail

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Ispconfig and iptables rules lanceq Installation/Configuration 0 27th June 2012 23:57
WebDAV doesn't start - DAVLockDB not created - error 405 Method not allowed maljam Server Operation 2 23rd March 2011 16:06
IPtables rule to let PPTP access LAN brianwebb01 Installation/Configuration 0 1st May 2008 21:23
Match IP with MAC using iptables for squid block cooljai Server Operation 0 30th August 2007 18:30
configuring IPTABLES firewall adityavpratap HOWTO-Related Questions 9 27th May 2006 21:42


All times are GMT +2. The time now is 07:18.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.