Re: Directory Harvest

Noel Jones Wed, 29 Jul 2009 18:24:41 -0700

Roman Gelfand wrote:

It looks like somebody is trying to figure out my internal users as
evidenced by log excerpts below.  Is there something I could do to, if
not prevent this, reduce it?
Thanks in advance

Jul 29 15:00:14 mail postfix/smtpd[2448]: NOQUEUE: reject: RCPT from
unknown[93.85.224.123]: 550 5.1.1 <atil...<http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@abc.com<http://abc.com>>: Recipient address
rejected: User unknown in virtual mailbox table;
from=<atoll...<http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@roulottes-moulin-de-cheni.com<http://roulottes-moulin-de-cheni.com>> to=<atil...<http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@abc.com<http://abc.com>>
proto=SMTP helo=<WIVANTR>
Jul 29 15:00:14 mail postfix/smtpd[2448]: NOQUEUE: filter: RCPT from
unknown[93.85.224.123]: <unknown[93.85.224.123]>: Client host triggers
FILTER dspam:dspam; from=<atoll...<http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@roulottes-moulin-de-cheni.com<http://roulottes-moulin-de-cheni.com>>to=<b...<http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@abc.com<http://abc.com>> proto=SMTP helo=<WIVANTR>
Jul 29 15:00:14 mail postfix/smtpd[2448]: NOQUEUE: reject: RCPT from
unknown[93.85.224.123]: 550 5.1.1 <b...<http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@abc.com<http://abc.com>>: Recipient address
rejected: User unknown in virtual mailbox table;
from=<atoll...<http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@roulottes-moulin-de-cheni.com<http://roulottes-moulin-de-cheni.com>> to=<b...<http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@abc.com<http://abc.com>>
proto=SMTP helo=<WIVANTR>
Jul 29 15:00:15 mail postfix/smtpd[2451]: NOQUEUE: filter: RCPT from
unknown[93.85.224.123]: <unknown[93.85.224.123]>: Client host triggers
FILTER dspam:dspam; from=<finise...<http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@rfstech.com<http://rfstech.com>>to=<conning...<http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@abc.com<http://abc.com>> proto=SMTP helo=<JYMQMAWNRE>
Jul 29 15:00:15 mail postfix/smtpd[2451]: NOQUEUE: reject: RCPT from
unknown[93.85.224.123]: 550 5.1.1 <conning...<http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@abc.com<http://abc.com>>: Recipient
address rejected: User unknown in virtual mailbox table;
from=<finise...

logs are much easier to read if you press the [plain text]button when posting from gmail.


No need to ever accept mail from this client.

$ host 93.85.224.123
Host 123.224.85.93.in-addr.arpa not found: 3(NXDOMAIN)

The host has no reverse DNS and could be rejected withreject_unknown_reverse_client_hostname. Some big ISPs rejectsuch clients, so this is somewhat unlikely to reject legit mail.

http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname

The client is listed in several RBLs.  Adding
 reject_rbl_client zen.spamhaus.org

to one of your smtpd_*_restrictions would get rid of them andlots of other junk. There are other RBLs you might consider,but currently zen is the most effective with a very low falsepositive rate.

http://www.postfix.org/postconf.5.html#reject_rbl_client
http://www.spamhaus.org/organization/dnsblusage.html

And finally, reducing smtpd_hard_error_limit to somethingbetween 1..5 would hang up on a client after that many

bad recipients.
http://www.postfix.org/postconf.5.html#smtpd_hard_error_limit

After these things, then you can look at implementing fail2banor similar. But do the basics first.


  -- Noel Jones

Re: Directory Harvest

Reply via email to