Walter Souto R. Junior wrote:
Looks to me like someone used your domain(s) as the From address when sending out spam, those messages bounced to who ever the sent them to and now they are being returned (falsely, but what are you going to do about faked From addresses).
Happens to us every so often as well, usually keeps up for about 12 hours on our servers, then slows down and stops.
Happened Sunday night to us actually.
It's very bad. So, in my case this situation is still in progress (2 days) and seems to get worse. Now, I have 1Mb of logs for each 3 minutes. Used to be 6 minutes yesterday.
What is the best way to handle this? Currently I just put :deny into the tcp.smtp file, so I have in my log:
@40000000425e639739b9fa1c tcpserver: end 13905 status 25600
@40000000425e639739ba4c24 tcpserver: status: 7/20
@40000000425e63973a907074 tcpserver: status: 8/20
@40000000425e63973a944104 tcpserver: pid 13907 from 18.104.22.168
@40000000425e63973a95cf74 tcpserver: deny 13907 0:22.214.171.124:25 :126.96.36.199::33919
@40000000425e63973a98733c tcpserver: end 13907 status 25600
@40000000425e63973a98c92c tcpserver: status: 7/20
@40000000425e63980081e3f4 tcpserver: status: 8/20
@40000000425e639800866c1c tcpserver: pid 13908 from 188.8.131.52
@40000000425e63980088507c tcpserver: deny 13908 0:184.108.40.206:25 :220.127.116.11::29926
@40000000425e6398008b270c tcpserver: end 13908 status 25600
@40000000425e6398008b7914 tcpserver: status: 7/20
@40000000425e639804855f1c tcpserver: status: 8/20
@40000000425e63980488fce4 tcpserver: pid 13909 from 18.104.22.168
@40000000425e6398048a9af4 tcpserver: deny 13909 0:22.214.171.124:25 :126.96.36.199::9580
If I don't deny my server gets so busy that nobody can send a message... I think that situation will go to consume a lot of bandwidth of my server...
I don't know what you can do. What you have done so far is block legitimate email servers from sending your clients email, while reducing your load, it is not a good practice. If you are going to do something like that you might as well just turn off your mail server.
As long as you are rejecting invalid/unknown users at the smtp level, you really shouldn't have much of a bandwidth issue.
Is this server delivering mail and are you checking for unknown users at smtp time (via the chkuser patch)?