Results 1 to 2 of 2
Enjoy an ad free experience by logging in. Not a member yet? Register.
- Join Date
- Apr 2010
Postfix logs flooded from excessive mails
Apr 14 01:35:16 ns1 postfix/qmgr: AB33922B89D8: to=<firstname.lastname@example.org>, relay=none, delay=147009, delays=146024/985/0/0, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mx1.mail.tw.yahoo.com[126.96.36.199] refused to talk to me: 421 4.7.0 [TS01] Messages from 188.8.131.52 temporarily deferred - 184.108.40.206; see )
Apr 14 01:49:59 ns1 postfix/qmgr: 86AC92110A48: from=<email@example.com>, size=4096, nrcpt=33 (queue active)
I think those are some kind of SMTP attacks from this host by I tried to block hit with Iptables but it seemes to peace them off and they keep coming...!
please some kind of postfix-configuration solution?
- Join Date
- Apr 2010
Look like a virus or ddos attack not sure, please help
I have postfix with mysql in centos5 and i'm getting huge amount of attacks like this (from /var/log/maillog):
Apr 18 00:10:01 game3 postfix/qmgr: C249334A86B: to=<firstname.lastname@example.org>, relay=none, delay=55645, delays=53557/2089/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to ms62a.hinet.net[220.127.116.11]: Connection timed out)
Apr 18 00:10:17 game3 postfix/smtpd: [B]connect from [/B]unknown[18.104.22.168]
attacks from yahoo.com.tw or hinet.com or million other IPs
Anyway I have tried to ban them all by extracting the IPs from the maillog and ban them but it's seem to be useless it doesn't do anything, except maybe that some of them says connection timed out...
This attacks occur only when Postfix is active, and the attacks are reflected in 20%wa taken by the server and all the queue slots are taken by the attackers emails (postfix (qmgr) is overflowed, not giving authentic emails to be received) so I tried to block smtp port:
iptables -A INPUT -p tcp --dport 25 -j DROP
iptables -A INPUT -p udp --dport 25 -j DROP
iptables -A OUTPUT -p tcp --dport 25 -j DROP
iptables -A OUTPUT -p udp --dport 25 -j DROP (:D I got mad so I started to invent some commands)
And it's makes some changes, now the attacks seem to come from the inside (lol?) but the same side effects remains:
Apr 18 13:21:31 game postfix/smtp: BA8912100199: to=<email@example.com>, relay=none, delay=219, delays=142/47/30/0, dsn=4.4.1, status=deferr$
Apr 18 13:21:31 game postfix/smtp: [B]connect to [/B]ms34a.hinet.net[22.214.171.124]: Connection timed out (port 25)
So is it somthing with the postfix? virus? ddos? how to block it? I'm working on this a week now and no one has solution nor find in the internet.
p.s. should I switch to exim insted postfix?