[Dshield] SMTP problem

Tony Earnshaw tonye at billy.demon.nl
Thu Oct 14 11:24:44 GMT 2004


man, 11.10.2004 kl. 16.09 skrev Mark Squire:

> I was wondering if I could get some advice.  I believe I might be the
> recipient of a DDOS against a spammer.  I know that doesn't make sense,
> but let me see if I can clear it up a bit.  Yesterday I noticed that our
> emails were a little slow in trickling in.  Thinking this was odd, I
> opened up our SMTP server, and noticed that it had over 3000 emails
> (pretty unusual for us).  I tailed /var/log/maillog (I have postfix),
> and noticed a lot of these errors:
> 
> connect to mail2.saveinternet.net[69.42.112.4]: Connection timed out
> 
> It didn't make any sense.  I never really got to the root cause I don't
> think, but at one point I went under the assumption that we were somehow
> being used to attack the above address.  The reason I came to that
> conclusion is because I didn't see them try to connect to our domain at
> all, but I saw a bunch of other addresses from all over the place
> connecting to us, and then I saw a bunch of connections coming from us
> to saveinternet.net.  So at that point I blocked all firewall access to
> port 25
[...]

Answer from Wietse Venema on the Postfix list, dd Monday last. This
assumes you're using Sender Address Verification:

Upgrade to Postfix 2.1, restrict the smtp_mx_address_limit
setting.

http://www.postfix.org/postconf.5.html#smtp_mx_address_limit

        Wietse

Meaningful answers to questions about specific software are generally
much better answered on the mailing lists for that software ;)

--Tonni

-- 
«Livet er ein gamp», sa øyken.
I can confirm this.

mail: tonye at billy.demon.nl
http://www.billy.demon.nl

They love us, don't they, They feed us, won't they




More information about the list mailing list