Find the answer to your Linux question:
Results 1 to 2 of 2
Hello, I view my /var/log/maillog and see tons of lines like this: Apr 14 01:35:16 ns1 postfix/qmgr[13307]: AB33922B89D8: to=<gwrp@yahoo.com.tw>, relay=none, delay=147009, delays=146024/985/0/0, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mx1.mail.tw.yahoo.com[203.188.197.9] refused ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2010
    Posts
    4

    Postfix logs flooded from excessive mails


    Hello, I view my /var/log/maillog and see tons of lines like this:
    Apr 14 01:35:16 ns1 postfix/qmgr[13307]: AB33922B89D8: to=<gwrp@yahoo.com.tw>, relay=none, delay=147009, delays=146024/985/0/0, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mx1.mail.tw.yahoo.com[203.188.197.9] refused to talk to me: 421 4.7.0 [TS01] Messages from 212.155.126.32 temporarily deferred - 4.16.55.1; see )

    Apr 14 01:49:59 ns1 postfix/qmgr[18884]: 86AC92110A48: from=<nkvhknwp@ms31.hinet.net>, size=4096, nrcpt=33 (queue active)

    I think those are some kind of SMTP attacks from this host by I tried to block hit with Iptables but it seemes to peace them off and they keep coming...!

    please some kind of postfix-configuration solution?

    thanks

  2. #2
    Just Joined!
    Join Date
    Apr 2010
    Posts
    4

    Look like a virus or ddos attack not sure, please help

    I have postfix with mysql in centos5 and i'm getting huge amount of attacks like this (from /var/log/maillog):

    PHP Code:
    Apr 18 00:10:01 game3 postfix/qmgr[28284]: C249334A86Bto=<hogb@ms62.hinet.net>, relay=nonedelay=55645delays=53557/2089/0/0dsn=4.4.1status=deferred (delivery temporarily suspendedconnect to ms62a.hinet.net[168.95.5.62]: Connection timed out)
    Apr 18 00:10:17 game3 postfix/smtpd[31088]: [B]connect from [/B]unknown[121.35.171.236
    Notice the connect from.

    attacks from yahoo.com.tw or hinet.com or million other IPs

    Anyway I have tried to ban them all by extracting the IPs from the maillog and ban them but it's seem to be useless it doesn't do anything, except maybe that some of them says connection timed out...

    This attacks occur only when Postfix is active, and the attacks are reflected in 20%wa taken by the server and all the queue slots are taken by the attackers emails (postfix (qmgr) is overflowed, not giving authentic emails to be received) so I tried to block smtp port:

    PHP Code:
    iptables -A INPUT -p tcp --dport 25 -j DROP
    iptables 
    -A INPUT -p udp --dport 25 -j DROP
    iptables 
    -A OUTPUT -p tcp --dport 25 -j DROP
    iptables 
    -A OUTPUT -p udp --dport 25 -j DROP (:D I got mad so I started to invent some commands
    Farther more, when looking in netstat after blocking smtp not smtp record found at all! yet the attacks keep coming!

    And it's makes some changes, now the attacks seem to come from the inside (lol?) but the same side effects remains:

    PHP Code:
    Apr 18 13:21:31 game postfix/smtp[4061]: BA8912100199to=<lfzdkjnucjdl@ms28.hinet.net>, relay=nonedelay=219delays=142/47/30/0dsn=4.4.1status=deferr$
    Apr 18 13:21:31 game postfix/smtp[4034]: [B]connect to [/B]ms34a.hinet.net[168.95.5.34]: Connection timed out (port 25
    Notice after I blocked smtp it's like the smtp trying to connect to somthing ! and I cannot find in the whole log any connect from.

    So is it somthing with the postfix? virus? ddos? how to block it? I'm working on this a week now and no one has solution nor find in the internet.

    p.s. should I switch to exim insted postfix?

    PLEASE HELP!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •