Imergency Help please

Discussion in 'Installation/Configuration' started by kings, Oct 20, 2010.

  1. kings

    kings Member

    For 3rd day only in 2 mail boxes in different mail server received e-mails from different sender as this:

    "[email protected]" <[email protected]>. This and all others senders send anti federal tax mails.
    I read all for this problem of this forum, but i not stop this:
    I execute all advice of Till for this. After when I sent to this sender in info.log of mails i saw this:
    Quote:
    Oct 20 10:19:02 shvv postfix/qmgr[6682]: 055ED4C2AC9: from=<[email protected]>, size=5157, nrcpt=1 (queue active)
    Oct 20 10:19:23 shvv postfix/smtp[18419]: connect to eftps.gov[12.36.213.139]:25: Connection timed out
    Oct 20 10:19:23 shvv postfix/smtp[18419]: 055ED4C2AC9: to=<[email protected]>, relay=none, delay=155970, delays=155949/0.03/21/0, dsn=4.4.1, status=deferred (connect to eftps.gov[12.36.213.139]:25: Connection timed out)


    Generally of all sender that used eftps.gov!!!!

    Unqoute!
    In "local-host-names" and 'aliases" i have not changes for this!
    When i run command: "dig MX house-v.eu in answer cection all is NORMAL:
    ;; ANSWER SECTION:
    house-v.eu. 28800 IN MX 10 mail.house-v.eu.

    ;; Query time: 1131 msec
    ;; SERVER: 93.152.128.1#53(93.152.128.1)
    ;; WHEN: Wed Oct 20 10:09:32 2010
    ;; MSG SIZE rcvd: 49


    Please help me to stop this.Where i tray to block this
     
  2. damir

    damir New Member

    In your log there is following message:

    (connect to eftps.gov[12.36.213.139]:25: Connection timed out)

    wich means that port 25 is closed, where is your server located? Datacenter or home?
     
  3. kings

    kings Member

    to Damir -answer

    1.Servers is my own;
    2.As i sad this persist only two box in separated mail server on this server
    3. on this server i have more of 10 e-mail servers;
    4.I have problems only of these e-mail boxes and not any think;
    5.All other boxes have not any problem to sent and read mails any where and any think;
    6.this 2 e-mail sent all e-mail but only have problems with this i was wouted
    7.At command dig MX those two server have not problems with ANSWER SECTIONS and have not problems with main.cfg , local-host-names,aliases and etc.

    So that this hypothesis of port 25 is problematic.
    When i run: telnet localhost 25
    ALL works as need!
     
    Last edited: Oct 20, 2010
  4. edge

    edge Active Member Moderator

    Looks like the problem is at eftps.gov.
    Port 25 is closed.
     
  5. kings

    kings Member

    To edge

    Why i Receive this e-mails?
    How to resolve problems?
     
  6. falko

    falko Super Moderator Howtoforge Staff

    These are spam mails. Why do you try to reply to them?
     
  7. kings

    kings Member

    to Falko

    I don't remember try or not.
    But in spam tabes in ISPC2 for this e-mails i Put this address and as "name"@yahoo.com, *@yahoo.com and all possible in Black list box and discard spam .
    Result is this ... all time.

    I see that my server is attacked by open ports who i not open.
    In moment i tray to close by firewall it?
    Is i closing its I will be post result and IP address of all attackers!
    Between when using firewall of ISPC 2 is posible to on one rows to write starting port address and final adress? As Example: 47000-50000
    Or not
     
  8. kings

    kings Member

    As I promis

    Hackers IP which generate spam
    113.53.220.206
    183.81.19.160
    118.96.6.47
    12.147.208.172
    186.81.67.107
    213.223.211.23
    213.6.213.197
    95.105.10.155
    217.175.1.175
    12.36.213.139
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Hacks occurr normally from dynamic IP's or servers that are be misused by hackers and the oweners of these servers does not even know that. So posting these IP's does not really help as the servers might be cleaned already tomorrow or the dynamic IP is assigned to another computer a few hours later.
     
  10. kings

    kings Member

    To Till

    Yes Till thats rights!
    I do not contest this!
    I want to share with all my try against hackers and spamers.
    1.I have practice to put such addresses to my hosts.deny with this example:
    ALL: 113.53.220.206: deny
    2. When attack to my server is from one provider I block all as example:
    113.53.220.207 or 113.54.220.206 in this case is very clear that from this address do not wait not good. Must be immediately block all from this address, etc.
    ALL: 113.: deny
    Usually all attack starting against SSH. In this case all times first blocker is file2ban. In my practice I immediately put this address in host.deny and Joomla sites - Ban IP Address. After than i restarting firewall and block this for ever, because those address in the hosts.deny.Well, this my tactics decrease risk and decrease my works.

    Two times I was lazy ... Last before 4 days. and result is this. I need that do not more lazy.

    3. I decide my problems with this my lapse with renaming this 2 email users, and renaming name user in this two sites. Good in this that this sites is my own. I not want to imagine what will be with me is site is a client!

    4. Unpleasant in this story that i put this [email protected] in Spam in all e-mails, but attack is against to one separate user in Joomla site with he e-mail address. From this all I have one question why Spam in ISPConfig don"t block this addresses?

    Please, Till explain for all users ISPConfig 2. Where is mistake to be not repeat it from anybody?

    Excepting of all, I want to thanks of all users who try to help my of this situation!
    Thank you !
     
    Last edited: Oct 22, 2010

Share This Page