EMERGENCY - need to secure my server against an ongoing SPAMMER
Paul Howarth
paul at city-fan.org
Sat Mar 12 10:58:50 UTC 2005
On Sat, 2005-03-12 at 09:51 +0000, Bob Brennan wrote:
> Here is a truncated logwatch indicating more than 1000 spams sent but
> seemingly a lot more denied, and most if not all bounced. I have
> truncated the "Relaying denied" list because it ran into pages. There
> are continuing attempts to relay through my server, every few minutes,
> all denied now. Hopefully the bast**ds will give up and move on
> soon...
>
> --------------------- sendmail Begin ------------------------
>
> Bytes Transferred: 12332471
> Messages Sent: 1010
> Total recipients: 13027
>
> 271 messages returned after 4 hours
>
> 1255 User Unknown notifications
>
> Top relays (recipients/connections - min 10 rcpts, max 50 lines):
> 2441/125: 219-81-152-11.static.tfn.net.tw [219.81.152.11]
> 1250/74: 61-31-142-15.dynamic.tfn.net.tw [61.31.142.15]
> 1200/78: 219-81-147-236.static.tfn.net.tw [219.81.147.236]
> 1020/102: 61-31-132-192.dynamic.tfn.net.tw [61.31.132.192]
> 900/90: 219-81-152-68.static.tfn.net.tw [219.81.152.68]
> 691/35: 219-81-148-55.static.tfn.net.tw [219.81.148.55]
> 600/30: 61-31-138-36.dynamic.tfn.net.tw [61.31.138.36]
> 540/54: 61-31-135-89.dynamic.tfn.net.tw [61.31.135.89]
> 480/36: 61-31-134-142.dynamic.tfn.net.tw [61.31.134.142]
> 473/48: 61-31-141-57.dynamic.tfn.net.tw [61.31.141.57]
> 360/24: 219-81-146-75.static.tfn.net.tw [219.81.146.75]
> 360/36: 219-81-147-234.static.tfn.net.tw [219.81.147.234]
> 360/36: 61-31-143-231.dynamic.tfn.net.tw [61.31.143.231]
> 301/25: 61-31-134-51.dynamic.tfn.net.tw [61.31.134.51]
> 270/27: 219-81-152-242.static.tfn.net.tw [219.81.152.242]
> 250/25: 61-31-143-110.dynamic.tfn.net.tw [61.31.143.110]
> 240/12: 219-81-146-16.static.tfn.net.tw [219.81.146.16]
> 240/18: 61-31-143-233.dynamic.tfn.net.tw [61.31.143.233]
> 225/23: 219-81-152-9.static.tfn.net.tw [219.81.152.9]
> 180/9: 61-31-141-122.dynamic.tfn.net.tw [61.31.141.122]
> 180/18: 61-31-130-73.dynamic.tfn.net.tw [61.31.130.73]
> 120/12: 61-31-135-224.dynamic.tfn.net.tw [61.31.135.224]
> 120/12: 219-81-148-189.static.tfn.net.tw [219.81.148.189]
> 120/12: 61-31-129-123.dynamic.tfn.net.tw [61.31.129.123]
> 60/3: 61-31-137-64.dynamic.tfn.net.tw [61.31.137.64]
> 10/10: lon1-probe-1-0.mail.omr-demon.co.uk [193.195.24.130]
>
>
> Relaying denied:
> From www.abuse.net [208.31.42.77] to securitytest at abuse.net: 4 Time(s)
> From www.abuse.net [208.31.42.77] to user-49733 at nf.abuse.net: 4 Time(s)
These top two are the abuse.net relay tester. Probably being used by
someone that received some of the spam your machine relayed yesterday.
> From 219-81-145-182.static.tfn.net.tw [219.81.145.182] to
> 118917086 at gigigaga.com: 1 Time(s)
> From 219-81-145-182.static.tfn.net.tw [219.81.145.182] to
> 3zt5 at yahoo.com.tw: 1 Time(s)
> From 219-81-145-182.static.tfn.net.tw [219.81.145.182] to
> boucy at gcn.net.tw: 1 Time(s)
> From 219-81-145-182.static.tfn.net.tw [219.81.145.182] to
> ho at ms65.hinet.net: 1 Time(s)
> From 219-81-145-182.static.tfn.net.tw [219.81.145.182] to
> jacky.howard at msa.hinet.net: 1 Time(s)
> From 219-81-145-182.static.tfn.net.tw [219.81.145.182] to
> jshad at ms49.hinet.net: 1 Time(s)
> From 219-81-145-182.static.tfn.net.tw [219.81.145.182] to
> mxw0823 at yahoo.com.tw: 1 Time(s)
> From 219-81-145-182.static.tfn.net.tw [219.81.145.182] to
> sammicheng99 at hotmail.com: 1 Time(s)
> From 219-81-145-182.static.tfn.net.tw [219.81.145.182] to
> simulation at mic.com.tw: 1 Time(s)
> From 219-81-145-182.static.tfn.net.tw [219.81.145.182] to
> v17582001 at yahoo.com.tw: 1 Time(s)
> From 219-81-145-182.static.tfn.net.tw [219.81.145.182] to
> vbs at ms48.url.com.tw: 1 Time(s)
> From 219-81-145-182.static.tfn.net.tw [219.81.145.182] to
> wong2000 at gigigaga.com: 1 Time(s)
> From 219-81-145-182.static.tfn.net.tw [219.81.145.182] to
> yaku at ms8.hinet.net: 1 Time(s)
> From 219-81-145-182.static.tfn.net.tw [219.81.145.182] to
> ynya at ms21.hinet: 1 Time(s)
> From 219-81-146-16.static.tfn.net.tw [219.81.146.16] to
> ansheng1 at seed.net.tw: 1 Time(s)
> From 219-81-146-16.static.tfn.net.tw [219.81.146.16] to
> bluelans at ms56.hinet.net: 1 Time(s)
> From 219-81-146-16.static.tfn.net.tw [219.81.146.16] to
> chairman at dragonland.com.sg: 1 Time(s)
> From 219-81-146-16.static.tfn.net.tw [219.81.146.16] to
> freebienewsletter-subscribe at listbot.com: 1 Time(s)
I wouldn't be surprised if the rest are zombied Windows boxes.
Paul.
--
Paul Howarth <paul at city-fan.org>
More information about the fedora-list
mailing list