Postfix logs flooded from excessive mails
Hello, I view my /var/log/maillog and see tons of lines like this:
Apr 14 01:35:16 ns1 postfix/qmgr: AB33922B89D8: to=<email@example.com>, relay=none, delay=147009, delays=146024/985/0/0, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mx1.mail.tw.yahoo.com[220.127.116.11] refused to talk to me: 421 4.7.0 [TS01] Messages from 18.104.22.168 temporarily deferred - 22.214.171.124; see )
Apr 14 01:49:59 ns1 postfix/qmgr: 86AC92110A48: from=<firstname.lastname@example.org>, size=4096, nrcpt=33 (queue active)
I think those are some kind of SMTP attacks from this host by I tried to block hit with Iptables but it seemes to peace them off and they keep coming...!
please some kind of postfix-configuration solution?
Look like a virus or ddos attack not sure, please help
I have postfix with mysql in centos5 and i'm getting huge amount of attacks like this (from /var/log/maillog):
Notice the connect from.
Apr 18 00:10:01 game3 postfix/qmgr: C249334A86B: to=<email@example.com>, relay=none, delay=55645, delays=53557/2089/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to ms62a.hinet.net[126.96.36.199]: Connection timed out)
Apr 18 00:10:17 game3 postfix/smtpd: [B]connect from [/B]unknown[188.8.131.52]
attacks from yahoo.com.tw or hinet.com or million other IPs
Anyway I have tried to ban them all by extracting the IPs from the maillog and ban them but it's seem to be useless it doesn't do anything, except maybe that some of them says connection timed out...
This attacks occur only when Postfix is active, and the attacks are reflected in 20%wa taken by the server and all the queue slots are taken by the attackers emails (postfix (qmgr) is overflowed, not giving authentic emails to be received) so I tried to block smtp port:
Farther more, when looking in netstat after blocking smtp not smtp record found at all! yet the attacks keep coming!
iptables -A INPUT -p tcp --dport 25 -j DROP
iptables -A INPUT -p udp --dport 25 -j DROP
iptables -A OUTPUT -p tcp --dport 25 -j DROP
iptables -A OUTPUT -p udp --dport 25 -j DROP (:D I got mad so I started to invent some commands)
And it's makes some changes, now the attacks seem to come from the inside (lol?) but the same side effects remains:
Notice after I blocked smtp it's like the smtp trying to connect to somthing ! and I cannot find in the whole log any connect from.
Apr 18 13:21:31 game postfix/smtp: BA8912100199: to=<firstname.lastname@example.org>, relay=none, delay=219, delays=142/47/30/0, dsn=4.4.1, status=deferr$
Apr 18 13:21:31 game postfix/smtp: [B]connect to [/B]ms34a.hinet.net[184.108.40.206]: Connection timed out (port 25)
So is it somthing with the postfix? virus? ddos? how to block it? I'm working on this a week now and no one has solution nor find in the internet.
p.s. should I switch to exim insted postfix?