Getting pounded .. sigh

Rob Poe rpoe at plattesheriff.org
Mon May 22 19:36:04 IST 2006 

I blocked them at the MTA level in the very most very basic way ..
rejecting their email through the /etc/mail/access  

I just peeked at the logs again, and it's started back up again...



>>> MailScanner at ecs.soton.ac.uk 5/22/2006 1:22:08 PM >>>
Two things: In the UK wanadoo is a big ISP. They are actually French, 
but have a very big UK presence. I would expect quite a lot of traffic

from them, they have a lot of customers, but I also wouldn't be too 
surprised if one of their main SMTP servers got compromised :-(

As there are various magic commands to do this stuff in different 
operating systems, could someone (Jeff?) please add an article to the 
Wiki on how to block mail traffic from a particular host or site, not 
only at the OS level with firewalling but also at the MTA level for 
those who prefer to work at that level. Not everyone has Linux with 
iptables switched on and completely configured. For those people  
(including me) knowing how to do it at the MTA level is more useful
than 
pretty iptables or ipfilter commands.

Could someone do that for me please?

Thanks!

Jeff A. Earickson wrote:
> Or if you are a Solaris user with ipfilter installed, try:
>
> block in quick on ce0 proto tcp from 193.252.22.0/24 to any port =
25
>
> in your ipf.conf file.  Substitute your appropriate network
interface
> for "ce0".
>
> Jeff Earickson
> Colby College
>
> On Mon, 22 May 2006, Dave Strydom wrote:
>
>> Date: Mon, 22 May 2006 19:11:11 +0200
>> From: Dave Strydom <strydom.dave at gmail.com>
>> Reply-To: MailScanner discussion
<mailscanner at lists.mailscanner.info>
>> To: MailScanner discussion <mailscanner at lists.mailscanner.info>
>> Subject: Re: Getting pounded .. sigh
>>
>> iptables -A INPUT -s 193.252.22.157 -j DROP
>> iptables -A INPUT -s 193.252.22.158 -j DROP
>>
>> problem solved.
>>
>> Regards
>> Dave
>>
>> On 5/22/06, Rob Poe <rpoe at plattesheriff.org> wrote:
>>> My mail server is getting POUNDED from
>>> 193.252.22.157
>>> 193.252.22.158
>>>
>>> Which is smtp1.wanadoo.co.uk  and smtp2.wanadoo.co.uk
>>>
>>> I blacklisted the whole 193.252.22.x
>>>
>>> They're targeting my list server, and SpamAssassin is grabbing
them
>>> (along with the fact that the list server is membership only!!)
>>>
>>> but I'm getting one every 5-10 seconds!!
>>>
>>> grep 193.252.22 /var/log/maillog | wc
>>>    1863   62955  710320
>>>
>>> May 22 11:49:02 mail sendmail[30768]: ruleset=check_relay,
>>> arg1=smtp2.wanadoo.co.uk, arg2=193.252.22.157, 
>>> relay=smtp2.wanadoo.co.uk
>>> [193.252.22.157], reject=583 5.0.0 Get lost..
>>> May 22 11:49:07 mail sendmail[30769]: ruleset=check_relay,
>>> arg1=smtp2.wanadoo.co.uk, arg2=193.252.22.157, 
>>> relay=smtp2.wanadoo.co.uk
>>> [193.252.22.157], reject=583 5.0.0 Get lost..
>>> May 22 11:49:13 mail sendmail[30770]: ruleset=check_relay,
>>> arg1=smtp2.wanadoo.co.uk, arg2=193.252.22.157, 
>>> relay=smtp2.wanadoo.co.uk
>>> [193.252.22.157], reject=583 5.0.0 Get lost..
>>> May 22 11:49:27 mail sendmail[30774]: ruleset=check_relay,
>>> arg1=smtp2.wanadoo.co.uk, arg2=193.252.22.157, 
>>> relay=smtp2.wanadoo.co.uk
>>> [193.252.22.157], reject=583 5.0.0 Get lost..
>>> May 22 11:49:29 mail sendmail[30775]: ruleset=check_relay,
>>> arg1=smtp2.wanadoo.co.uk, arg2=193.252.22.157, 
>>> relay=smtp2.wanadoo.co.uk
>>> [193.252.22.157], reject=583 5.0.0 Get lost..
>>> May 22 11:49:41 mail sendmail[30777]: ruleset=check_relay,
>>> arg1=smtp2.wanadoo.co.uk, arg2=193.252.22.157, 
>>> relay=smtp2.wanadoo.co.uk
>>> [193.252.22.157], reject=583 5.0.0 Get lost..
>>>
>>> -- 
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info 
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner 
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting 
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>> -- 
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info 
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner 
>>
>> Before posting, read http://wiki.mailscanner.info/posting 
>>
>> Support MailScanner development - buy the book off the website!

-- 
Julian Field
www.MailScanner.info 
Buy the MailScanner book at www.MailScanner.info/store 
Professional Support Services at www.MailScanner.biz 
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.

-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info 
http://lists.mailscanner.info/mailman/listinfo/mailscanner 

Before posting, read http://wiki.mailscanner.info/posting 

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list