On Thu, May 1, 2008 at 8:38 PM, Eu <[EMAIL PROTECTED]> wrote: > The log seems pretty normal: > > <start> > @40000000481a61d720919fa4 CHKUSER accepted sender: from > <[EMAIL PROTECTED]::> remote > <carrera.intelidus.net:unknown:195.23.42.178> rcpt <> : sender accepted > @40000000481a61d723f98a94 CHKUSER accepted rcpt: from > <[EMAIL PROTECTED]::> remote > <carrera.intelidus.net:unknown:195.23.42.178> rcpt > <[EMAIL PROTECTED]> : found existing recipient > @40000000481a61d736528844 tcpserver: status: 16/40 > @40000000481a61d736529bcc tcpserver: pid 30296 from 121.72.33.24 > @40000000481a61d736529fb4 tcpserver: ok 30296 0:69.63.23.122:25 > :121.72.33.24::3564 > @40000000481a61d80db135fc tcpserver: end 30232 status 256 > @40000000481a61d80db14984 tcpserver: status: 15/40 > @40000000481a61d82887d8cc CHKUSER accepted sender: from > <[EMAIL PROTECTED]::> remote > <www.4digitalmail.com:unknown:81.92.198.40> rcpt <> : sender accepted > @40000000481a61d82e4350ac CHKUSER accepted rcpt: from > <[EMAIL PROTECTED]::> remote > <www.4digitalmail.com:unknown:81.92.198.40> rcpt <[EMAIL PROTECTED]> : > found existing recipient > @40000000481a61d909c26f9c tcpserver: end 30049 status 0 > @40000000481a61d909c27f3c tcpserver: status: 14/40 > @40000000481a61d910489a1c tcpserver: status: 15/40 > @40000000481a61d91048a9bc tcpserver: pid 30309 from 213.95.19.87 > @40000000481a61d91048ada4 tcpserver: ok 30309 0:69.63.23.122:25 > :213.95.19.87::56584 > <end>
Look for these lines in your log files: > @40000000481a61d91048a9bc tcpserver: pid 30309 from 213.95.19.87 This will show you who is connecting. > > I already tried to disable spamd, rblsmtds and the problems persists. My > difficult is how to locate the traffic origin. Any clue ? It's all inbound > traffice whch is more strange. > It would appear that your domain is under a sort of dictionary attack. I guess you could go through your log files, find all the offending IPs, and block them with 'iptables' or whatever firewall package you use. You might be able to find some high traffic IPs and block them to at least slow it down, but I imagine you are going to find hundreds of IPs in your logs. First, I would re-enable rblsmtpd. If any of these connecting IPs are listed on one of the blacklists the connection will get dropped. Second, a REALLY good anti-spam tool that I've been using for a while now is Spamdyke. It's very easy to configure and has great documentation. Check it out at: http://www.spamdyke.org/ -ken -- Have a nice day ... unless you've made other plans.
