EMERGENCY - need to secure my server against an ongoing SPAMMER

Paul Howarth paul at city-fan.org
Sat Mar 12 10:58:50 UTC 2005 

On Sat, 2005-03-12 at 09:51 +0000, Bob Brennan wrote:
> Here is a truncated logwatch indicating more than 1000 spams sent but
> seemingly a lot more denied, and most if not all bounced. I have
> truncated the "Relaying denied" list because it ran into pages. There
> are continuing attempts to relay through my server, every few minutes,
> all denied now. Hopefully the bast**ds will give up and move on
> soon...
> 
>  --------------------- sendmail Begin ------------------------ 
> 
> Bytes Transferred: 12332471
> Messages Sent:     1010
> Total recipients:  13027
> 
> 271 messages returned after 4 hours
> 
> 1255 User Unknown notifications
> 
> Top relays (recipients/connections - min 10 rcpts, max 50 lines):
>     2441/125: 219-81-152-11.static.tfn.net.tw [219.81.152.11]
>     1250/74: 61-31-142-15.dynamic.tfn.net.tw [61.31.142.15]
>     1200/78: 219-81-147-236.static.tfn.net.tw [219.81.147.236]
>     1020/102: 61-31-132-192.dynamic.tfn.net.tw [61.31.132.192]
>     900/90: 219-81-152-68.static.tfn.net.tw [219.81.152.68]
>     691/35: 219-81-148-55.static.tfn.net.tw [219.81.148.55]
>     600/30: 61-31-138-36.dynamic.tfn.net.tw [61.31.138.36]
>     540/54: 61-31-135-89.dynamic.tfn.net.tw [61.31.135.89]
>     480/36: 61-31-134-142.dynamic.tfn.net.tw [61.31.134.142]
>     473/48: 61-31-141-57.dynamic.tfn.net.tw [61.31.141.57]
>     360/24: 219-81-146-75.static.tfn.net.tw [219.81.146.75]
>     360/36: 219-81-147-234.static.tfn.net.tw [219.81.147.234]
>     360/36: 61-31-143-231.dynamic.tfn.net.tw [61.31.143.231]
>     301/25: 61-31-134-51.dynamic.tfn.net.tw [61.31.134.51]
>     270/27: 219-81-152-242.static.tfn.net.tw [219.81.152.242]
>     250/25: 61-31-143-110.dynamic.tfn.net.tw [61.31.143.110]
>     240/12: 219-81-146-16.static.tfn.net.tw [219.81.146.16]
>     240/18: 61-31-143-233.dynamic.tfn.net.tw [61.31.143.233]
>     225/23: 219-81-152-9.static.tfn.net.tw [219.81.152.9]
>     180/9: 61-31-141-122.dynamic.tfn.net.tw [61.31.141.122]
>     180/18: 61-31-130-73.dynamic.tfn.net.tw [61.31.130.73]
>     120/12: 61-31-135-224.dynamic.tfn.net.tw [61.31.135.224]
>     120/12: 219-81-148-189.static.tfn.net.tw [219.81.148.189]
>     120/12: 61-31-129-123.dynamic.tfn.net.tw [61.31.129.123]
>     60/3: 61-31-137-64.dynamic.tfn.net.tw [61.31.137.64]
>     10/10: lon1-probe-1-0.mail.omr-demon.co.uk [193.195.24.130]
> 
> 
> Relaying denied:
>     From www.abuse.net [208.31.42.77] to securitytest at abuse.net: 4 Time(s)
>     From www.abuse.net [208.31.42.77] to user-49733 at nf.abuse.net: 4 Time(s)

These top two are the abuse.net relay tester. Probably being used by
someone that received some of the spam your machine relayed yesterday.

>     From 219-81-145-182.static.tfn.net.tw [219.81.145.182] to
> 118917086 at gigigaga.com: 1 Time(s)
>     From 219-81-145-182.static.tfn.net.tw [219.81.145.182] to
> 3zt5 at yahoo.com.tw: 1 Time(s)
>     From 219-81-145-182.static.tfn.net.tw [219.81.145.182] to
> boucy at gcn.net.tw: 1 Time(s)
>     From 219-81-145-182.static.tfn.net.tw [219.81.145.182] to
> ho at ms65.hinet.net: 1 Time(s)
>     From 219-81-145-182.static.tfn.net.tw [219.81.145.182] to
> jacky.howard at msa.hinet.net: 1 Time(s)
>     From 219-81-145-182.static.tfn.net.tw [219.81.145.182] to
> jshad at ms49.hinet.net: 1 Time(s)
>     From 219-81-145-182.static.tfn.net.tw [219.81.145.182] to
> mxw0823 at yahoo.com.tw: 1 Time(s)
>     From 219-81-145-182.static.tfn.net.tw [219.81.145.182] to
> sammicheng99 at hotmail.com: 1 Time(s)
>     From 219-81-145-182.static.tfn.net.tw [219.81.145.182] to
> simulation at mic.com.tw: 1 Time(s)
>     From 219-81-145-182.static.tfn.net.tw [219.81.145.182] to
> v17582001 at yahoo.com.tw: 1 Time(s)
>     From 219-81-145-182.static.tfn.net.tw [219.81.145.182] to
> vbs at ms48.url.com.tw: 1 Time(s)
>     From 219-81-145-182.static.tfn.net.tw [219.81.145.182] to
> wong2000 at gigigaga.com: 1 Time(s)
>     From 219-81-145-182.static.tfn.net.tw [219.81.145.182] to
> yaku at ms8.hinet.net: 1 Time(s)
>     From 219-81-145-182.static.tfn.net.tw [219.81.145.182] to
> ynya at ms21.hinet: 1 Time(s)
>     From 219-81-146-16.static.tfn.net.tw [219.81.146.16] to
> ansheng1 at seed.net.tw: 1 Time(s)
>     From 219-81-146-16.static.tfn.net.tw [219.81.146.16] to
> bluelans at ms56.hinet.net: 1 Time(s)
>     From 219-81-146-16.static.tfn.net.tw [219.81.146.16] to
> chairman at dragonland.com.sg: 1 Time(s)
>     From 219-81-146-16.static.tfn.net.tw [219.81.146.16] to
> freebienewsletter-subscribe at listbot.com: 1 Time(s)

I wouldn't be surprised if the rest are zombied Windows boxes.

Paul.
-- 
Paul Howarth <paul at city-fan.org>

More information about the fedora-list mailing list