Getting pounded .. sigh
Julian Field
MailScanner at ecs.soton.ac.uk
Mon May 22 19:22:08 IST 2006
Two things: In the UK wanadoo is a big ISP. They are actually French,
but have a very big UK presence. I would expect quite a lot of traffic
from them, they have a lot of customers, but I also wouldn't be too
surprised if one of their main SMTP servers got compromised :-(
As there are various magic commands to do this stuff in different
operating systems, could someone (Jeff?) please add an article to the
Wiki on how to block mail traffic from a particular host or site, not
only at the OS level with firewalling but also at the MTA level for
those who prefer to work at that level. Not everyone has Linux with
iptables switched on and completely configured. For those people
(including me) knowing how to do it at the MTA level is more useful than
pretty iptables or ipfilter commands.
Could someone do that for me please?
Thanks!
Jeff A. Earickson wrote:
> Or if you are a Solaris user with ipfilter installed, try:
>
> block in quick on ce0 proto tcp from 193.252.22.0/24 to any port = 25
>
> in your ipf.conf file. Substitute your appropriate network interface
> for "ce0".
>
> Jeff Earickson
> Colby College
>
> On Mon, 22 May 2006, Dave Strydom wrote:
>
>> Date: Mon, 22 May 2006 19:11:11 +0200
>> From: Dave Strydom <strydom.dave at gmail.com>
>> Reply-To: MailScanner discussion <mailscanner at lists.mailscanner.info>
>> To: MailScanner discussion <mailscanner at lists.mailscanner.info>
>> Subject: Re: Getting pounded .. sigh
>>
>> iptables -A INPUT -s 193.252.22.157 -j DROP
>> iptables -A INPUT -s 193.252.22.158 -j DROP
>>
>> problem solved.
>>
>> Regards
>> Dave
>>
>> On 5/22/06, Rob Poe <rpoe at plattesheriff.org> wrote:
>>> My mail server is getting POUNDED from
>>> 193.252.22.157
>>> 193.252.22.158
>>>
>>> Which is smtp1.wanadoo.co.uk and smtp2.wanadoo.co.uk
>>>
>>> I blacklisted the whole 193.252.22.x
>>>
>>> They're targeting my list server, and SpamAssassin is grabbing them
>>> (along with the fact that the list server is membership only!!)
>>>
>>> but I'm getting one every 5-10 seconds!!
>>>
>>> grep 193.252.22 /var/log/maillog | wc
>>> 1863 62955 710320
>>>
>>> May 22 11:49:02 mail sendmail[30768]: ruleset=check_relay,
>>> arg1=smtp2.wanadoo.co.uk, arg2=193.252.22.157,
>>> relay=smtp2.wanadoo.co.uk
>>> [193.252.22.157], reject=583 5.0.0 Get lost..
>>> May 22 11:49:07 mail sendmail[30769]: ruleset=check_relay,
>>> arg1=smtp2.wanadoo.co.uk, arg2=193.252.22.157,
>>> relay=smtp2.wanadoo.co.uk
>>> [193.252.22.157], reject=583 5.0.0 Get lost..
>>> May 22 11:49:13 mail sendmail[30770]: ruleset=check_relay,
>>> arg1=smtp2.wanadoo.co.uk, arg2=193.252.22.157,
>>> relay=smtp2.wanadoo.co.uk
>>> [193.252.22.157], reject=583 5.0.0 Get lost..
>>> May 22 11:49:27 mail sendmail[30774]: ruleset=check_relay,
>>> arg1=smtp2.wanadoo.co.uk, arg2=193.252.22.157,
>>> relay=smtp2.wanadoo.co.uk
>>> [193.252.22.157], reject=583 5.0.0 Get lost..
>>> May 22 11:49:29 mail sendmail[30775]: ruleset=check_relay,
>>> arg1=smtp2.wanadoo.co.uk, arg2=193.252.22.157,
>>> relay=smtp2.wanadoo.co.uk
>>> [193.252.22.157], reject=583 5.0.0 Get lost..
>>> May 22 11:49:41 mail sendmail[30777]: ruleset=check_relay,
>>> arg1=smtp2.wanadoo.co.uk, arg2=193.252.22.157,
>>> relay=smtp2.wanadoo.co.uk
>>> [193.252.22.157], reject=583 5.0.0 Get lost..
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
More information about the MailScanner
mailing list