Re: Spammers?
From: Denis Dimick (denis@dimick.net)
Date: 03/04/03
- Previous message: Tom_Staskiewicz@fcnb.com: "Re: TCP 445 Scan?"
- In reply to: Christopher Wagner: "Spammers?"
- Next in thread: James C Slora Jr: "RE: Spammers?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 4 Mar 2003 08:45:05 -0800 (PST) From: Denis Dimick <denis@dimick.net> To: Christopher Wagner <chrisw@pacaids.com>
I saw the same thing for a while last year.. I just blocked most of the IP
address range for Asia. All of a sudden I didn't see it any more..
On Thu, 27 Feb 2003, Christopher Wagner wrote:
> Good day all..
>
> I'm encountering some rather annoying problems with my mail server.
>
> It appears as though someone is trying rather desperately to relay through
> my mail server, and using multiple boxes from all over the place to do it.
> They are all directed at pacbell.net and they're all from the commonly faked
> mail from:'s (ie: hotmail, mindspring, earthlink)
>
> Logs:
>
> Feb 25 07:12:02 goober postfix/smtpd[31398]: reject: RCPT from
> unknown[62.117.66.182]: 554 <idapaul@pacbell.net>: Recipient address
> rejected: Relay access denied; from=<t1p2dj10x@earthlink.net>
> to=<idapaul@pacbell.net>
> Feb 25 07:12:08 goober postfix/smtpd[31398]: reject: RCPT from
> unknown[62.117.66.182]: 554 <idar@pacbell.net>: Recipient address rejected:
> Relay access denied; from=<t1p2dj10x@earthlink.net> to=<idar@pacbell.net>
> Feb 25 07:12:13 goober postfix/smtpd[31398]: reject: RCPT from
> unknown[62.117.66.182]: 554 <idbyebye@pacbell.net>: Recipient address
> rejected: Relay access denied; from=<t1p2dj10x@earthlink.net>
> to=<idbyebye@pacbell.net>
> Feb 25 07:12:19 goober postfix/smtpd[31398]: reject: RCPT from
> unknown[62.117.66.182]: 554 <idc@pacbell.net>: Recipient address rejected:
> Relay access denied; from=<t1p2dj10x@earthlink.net> to=<idc@pacbell.net>
> --
> Feb 25 07:10:37 goober postfix/smtpd[31398]: reject: RCPT from
> kamosbs.kamocci.or.jp[157.120.128.130]: 554 <gortons@pacbell.net>: Recipient
> address rejected: Relay access denied; from=<r275rmd0b@mindspring.com>
> to=<gortons@pacbell.net>
> Feb 25 07:10:43 goober postfix/smtpd[31398]: reject: RCPT from
> kamosbs.kamocci.or.jp[157.120.128.130]: 554 <gos2@pacbell.net>: Recipient
> address rejected: Relay access denied; from=<r275rmd0b@mindspring.com>
> to=<gos2@pacbell.net>
> Feb 25 07:10:48 goober postfix/smtpd[31398]: reject: RCPT from
> kamosbs.kamocci.or.jp[157.120.128.130]: 554 <gosaints@pacbell.net>:
> Recipient address rejected: Relay access denied;
> from=<r275rmd0b@mindspring.com> to=<gosaints@pacbell.net>
> Feb 25 07:10:54 goober postfix/smtpd[31398]: reject: RCPT from
> kamosbs.kamocci.or.jp[157.120.128.130]: 554 <gosenior@pacbell.net>:
> Recipient address rejected: Relay access denied;
> from=<r275rmd0b@mindspring.com> to=<gosenior@pacbell.net>
> --
> Feb 25 07:12:25 goober postfix/smtpd[31398]: reject: RCPT from
> ppp-63-205-146-45.calvarycc.org[63.205.146.45]: 554 <jgerardi@pacbell.net>:
> Recipient address rejected: Relay access denied;
> from=<wf97vp1tl4@hotmail.com> to=<jgerardi@pacbell.net>
> Feb 25 07:12:30 goober postfix/smtpd[31398]: reject: RCPT from
> ppp-63-205-146-45.calvarycc.org[63.205.146.45]: 554 <jgerfen@pacbell.net>:
> Recipient address rejected: Relay access denied;
> from=<wf97vp1tl4@hotmail.com> to=<jgerfen@pacbell.net>
> Feb 25 07:12:35 goober postfix/smtpd[31398]: reject: RCPT from
> ppp-63-205-146-45.calvarycc.org[63.205.146.45]: 554 <jgerke@pacbell.net>:
> Recipient address rejected: Relay access denied;
> from=<wf97vp1tl4@hotmail.com> to=<jgerke@pacbell.net>
> --
> And so on.. They seem pretty determined to relay, I dunno why, it ain't
> gonna happen. This seems to happen once a month or so, obviously from a
> variety of addresses. It almost looks suspiciously like these various
> machines have either been hacked or they're hiring out their bandwidth to a
> spammer.
>
> Any suggestions for tracking this down or should I just ignore it? It's not
> a real drain on my bandwidth or server capacity, the frequency isn't
> bothersome, just the log entries get annoying after awhile. It doesn't help
> matters by having all the sources be out of the US, it makes it more
> difficult to track down.
>
> Thanks folks..
>
> - Christopher Wagner
> chrisw@pacaids.com
>
> Packaging Aids Corporation - Information Systems
> P.O. Box 9144
> San Rafael, CA 94912-9144
> http://www.pacaids.com/
> (415) 454-4868 x116
>
>
> ----------------------------------------------------------------------------
>
> <Pre>Lose another weekend managing your IDS?
> Take back your personal time.
> 15-day free trial of StillSecure Border Guard.</Pre>
> http://www.securityfocus.com/stillsecure
>
>
----------------------------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
- Previous message: Tom_Staskiewicz@fcnb.com: "Re: TCP 445 Scan?"
- In reply to: Christopher Wagner: "Spammers?"
- Next in thread: James C Slora Jr: "RE: Spammers?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
