James wrote: > I am using an old version of Mandrake (7.0) as a web server, and I am > using postfix. I was just able to check my logs for today, and starting > at around 7:00 this evening I started getting huge "relay access > denied" security violations. It looks like someone is trying to use my > server as a relay spam mailer since every 15 minutes there are about 50 > relay attempts which are denied by my postfix. > > I've seen this a couple of times before, but once the relay access was > denied, the flooding usually stopped within a minute. This time, though, > it's been going on for the last 3 hours non-stop. Here is an example of > the security violations list: > > Security Violations > =-=-=-=-=-=-=-=-=-= > Oct 17 22:30:02 postfix/smtpd[28173]: reject: RCPT from > unknown[202.97.133.78]: 554 <[EMAIL PROTECTED]>: Recipient address > rejected: Relay access denied; from=<[EMAIL PROTECTED]> > to=<[EMAIL PROTECTED]> > Oct 17 22:30:03 postfix/smtpd[28008]: reject: RCPT from > 200-4.cable.guam.net[202.128.24.200]: 554 <[EMAIL PROTECTED]>: Recipient > address rejected: Relay access denied; from=<[EMAIL PROTECTED]> > to=<[EMAIL PROTECTED]> > > Oct 17 22:35:42 > postfix/smtp[28256]: 95C3179825: to=<[EMAIL PROTECTED]>, > relay=mailin-02.mx.aol.com[64.12.136.121], delay=7209, status=deferred > (host mailin-02.mx.aol.com[64.12.136.121] said: 421 SERVICE NOT AVAILABLE, > TEMPORARY DNS FAILURE) > Oct 17 22:35:42 > postfix/smtp[28253]: E5AC17981E: to=<[EMAIL PROTECTED]>, > relay=mailin-02.mx.aol.com[64.12.138.89], delay=7226, status=deferred > (host mailin-02.mx.aol.com[64.12.138.89] said: 421 SERVICE NOT AVAILABLE, > TEMPORARY DNS FAILURE) > =================================================================== > > That's just a very tiny bit of the thousands of these I've already had in > the last few hours. What I want to know is, why does this continue even > when the relay access is denied, and also, "TEMPORARY DNS FAILURE".. is > this a denial of service attack on my server?
The third and fourth messages scare me. They say, to me, that you tried to send a piece of mail to <[EMAIL PROTECTED]>, but AOL's mail server failed to accept it because of a DNS error. If I'm reading that right, the spammers found a way to use your machine as a relay. Can you check postfix's syslog and see whether it's accepting and forwarding mail? -- Bob Miller K<bob> kbobsoft software consulting http://kbobsoft.com [EMAIL PROTECTED] _______________________________________________ Eug-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
