Hi friends! My mail server is Postfix and sometimes, someone is trying to use my smtp to send spam emails. I have used iptables and fail2ban to solve this cases, and i´m always reading the mail log to see any suspicious connections, using iptables commands manually to ban these annoying spammers. but the last one is very persistent! Even with several commands in iptables including output and input rules to drop it, the connections attempts was not blocked! The mail log is still like bellow: Mar 21 09:04:50 fixoterm postfix/qmgr[28504]: 54746F87805E: from=<[email protected]>, size=878, nrcpt=1 (queue active) Mar 21 09:04:50 fixoterm postfix/qmgr[28504]: 3BF3CF87806F: from=<[email protected]>, size=810, nrcpt=1 (queue active) Mar 21 09:04:50 fixoterm postfix/qmgr[28504]: 94802F87806C: from=<[email protected]>, size=958, nrcpt=1 (queue active) Mar 21 09:04:50 fixoterm postfix/smtp[32720]: connect to testingemail.com[208.87.35.103]:25: Network is unreachable Mar 21 09:04:50 fixoterm postfix/smtp[32744]: connect to testingemail.com[208.87.35.103]:25: Network is unreachable Mar 21 09:04:50 fixoterm postfix/smtp[32731]: connect to testingemail.com[208.87.35.103]:25: Network is unreachable Mar 21 09:04:50 fixoterm postfix/smtp[32720]: 54746F87805E: to=<[email protected]>, relay=none, delay=66584, delays=66584/0.11/0.19/0, dsn=4.4.1, status=deferred (connect to testingemail.com[208.87.35.103]:25: Network is unreachable) Mar 21 09:04:50 fixoterm postfix/smtp[32731]: 3BF3CF87806F: to=<[email protected]>, relay=none, delay=60703, delays=60702/0.02/0.21/0, dsn=4.4.1, status=deferred (connect to testingemail.com[208.87.35.103]:25: Network is unreachable) Mar 21 09:04:50 fixoterm postfix/smtp[32744]: 94802F87806C: to=<[email protected]>, relay=none, delay=66549, delays=66549/0.04/0.13/0, dsn=4.4.1, status=deferred (connect to testingemail.com[208.87.35.103]:25: Network is unreachable) Mar 21 09:05:51 fixoterm postfix/anvil[32707]: statistics: max connection rate 1/60s for (smtp:209.85.215.41) at Mar 21 09:02:28 Mar 21 09:05:51 fixoterm postfix/anvil[32707]: statistics: max connection count 1 for (smtp:209.85.215.41) at Mar 21 09:02:28 Mar 21 09:05:51 fixoterm postfix/anvil[32707]: statistics: max cache size 1 at Mar 21 09:02:28 ------------------------------------------------------------------------- Even with network unreachable status, this annoying ip testingemail.com [208.87.35.103] is trying to connect to my smtp server! I have used iptables and route commands to block it but no success until now =/ That server (testingdomain.com) was trying to use my php mail functions from php files present on my server to send the emails, i discovered and commented these lines from the mail function and this issue was solved. I have made an ip lookup to 208.87.35.103 and this is an inconsistent ip. what this means? Maybe my server have a script running to do this connection attempts? This is a backscatterer? Thanks for your attention! Regards
yep, but why this is happening? Its possible due to a postfix queue? I noticed my server finally stopped trying to make those connections! Thanks!
