mail hack attempts

Discussion in 'General' started by fordwrench, Aug 4, 2007.

  1. fordwrench

    fordwrench Member HowtoForge Supporter

    I get thousounds of the following every day:

    Aug 4 11:00:27 srv1 postfix/smtpd[27786]: connect from emark1.emservers.com[66.230.197.45]
    Aug 4 11:00:27 srv1 postfix/smtpd[27786]: NOQUEUE: reject: RCPT from emark1.emservers.com[66.230.197.45]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in local recipient table; from=<> to=<[email protected]> proto=SMTP helo=<emark1.emservers.com>
    Aug 4 11:00:27 srv1 postfix/smtpd[27786]: disconnect from emark1.emservers.com[66.230.197.45]
    Aug 4 11:00:28 srv1 postfix/smtpd[28570]: warning: 219.141.253.249: hostname bj141-253-249.bjtelecom.net verification failed: Name or service not known
    Aug 4 11:00:28 srv1 postfix/smtpd[28570]: connect from unknown[219.141.253.249]
    Aug 4 11:00:29 srv1 postfix/smtpd[28570]: NOQUEUE: reject: RCPT from unknown[219.141.253.249]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in local recipient table; from=<> to=<[email protected]> proto=ESMTP helo=<mailex.cosco.com>
    Aug 4 11:00:29 srv1 postfix/smtpd[28570]: disconnect from unknown[219.141.253.249]
    Aug 4 11:00:34 srv1 postfix/smtpd[28353]: connect from cumeil13.prima.com.ar[200.42.0.139]


    only to one site "rrmaps.com"

    How can I stop this and also how can I stop for bounce mail that is more than a week or a few days old.

    say if today is saturday the 4th...how do I bounce mail from two days ago.
    or only within the 24 hr period preceding.

    Tia

    Fordwrench
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    It is normal that spammers try to send you emails to non existing eddresses, you can not do much against this. The lines above are no bounces, they tell you just that postfix rejected the emails, so there is nothing more that you must do. Message rejections normally do not generate bounce mails.
     
  3. fordwrench

    fordwrench Member HowtoForge Supporter

    Ok so this is normal but I only get this on one site that has no email users.
    I dont get any on other sites.

    And maybe bounce is the wrong word...I want to reject emails that are more than a few day old. That is, I dont want to receive emails created more than a few days old. Is there a rule to set up for that.

    Thanks

    Fordwrench
     
  4. AlArenal

    AlArenal New Member

    First time someone complains about NOT receiving spam...

    Who sends backdated mail?
     
  5. fordwrench

    fordwrench Member HowtoForge Supporter

    Who sends backdated email?


    Spammers!


    Need some viagra?
    Increase your manhood?
    Best stock tips in town!
    Best pharma website...


    Spammers that is who sends backdated emails.

    Fordwrench
     
  6. fordwrench

    fordwrench Member HowtoForge Supporter

    I am not complaining about not receiving spam...I still receive spam.

    I am saying that one site gets hit constantly and fills the log files with that crap.
    No other sites get all that.
    I have no email users on the site that this getting all the requests.

    I want to know if there is a way to stop it.

    I still get spam with the mail enhancements and rbls.
    I am not a guru with this stuff I am trying to learn.
    That is why I have a sub to this site and I read and read and read....
    And when reading doesnt provide an answer I ask questions..

    Fordwrench
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    The emails are already being rejected, that what the log file tells you. You can not reject a email twice when it has been already rejected because the email account does not exist.

    No. And the emails are alredy rejected. It is normal that postfix logs its actions when it rejects a email.
     
  8. AlArenal

    AlArenal New Member

    1. One day you WILL receive spam on the other domains as soon as one harvester gets aware of the domain. It's more a matter of when than if.
    2. Spammers can't know whether or not a domain has email addresses configured or not and now spammer kindly asks you before sending out spam. As Till already said it's normal that spammers in some kind of brute-force-attempt try to find email accounts by creating randomized addresses. My logs are full of such addresses. Even these days a lot of people use catchall addresses and some addresses are common like info@, contact@, ... So this is a normal spammer's behaviour.

    We all receive spam. It's everywhere. Even the gurus receive spam. Right now there is no way to just "turn it off" without drawbacks (false negatives), other than pull the plug and disconnect ;)

    We all (as admins and users) have to learn to live with it the same way that software developers and their bosses and customers have to deal with bugs as part of their work and everyday life. There are ways to reduce spam (you can find them in the various tutorials on howtoforge), but you won't be able to stop spammers from ATTEMPTING to send spam to you. And that's part of what get's logged, the attempts...
     
  9. fordwrench

    fordwrench Member HowtoForge Supporter

    Ok, this was actually two questions.

    I understand the first answer, everyone gets this in the rejected messages because a spammer is trying to brute-force attack. That I understand.
    I just thought maybe someone would have a solution to find who was doing this or whatever. End of that.


    Part 2:

    How do you reject messages with a date that is say 2 days earlier?
    Now I have gotten some of these messages say from "1969". Is there some way to configure postfix so it will reject messages that are older than a certain time you set? So if the system time is 9:00pm on 08/05/07 and the email has a creation date of 08/02/07 or earlier it is rejected? Is there a way to do this?

    By the way.

    Thanks for all the feedback.

    Fordwrench
     
  10. AlArenal

    AlArenal New Member

    Spammers mostly use hijacked computers, so called zombies. Those form a so called bot network under the control of the spammer. They're doing their best to hide away from public.


    Content checking isn't done in Postfix. You'd rather do it afterwards, e.g. in spamassassin. There should already be rules for such suspicious dates. Most of the times they are dated in the future, because then it gets listed atop all other mails in most users' mail clients.
    You'd have to adjust the score for that rule in you spamassassin config, or write your own rule, or something like that.
     
  11. AlArenal

    AlArenal New Member

    Have a look at the various DATE_IN_PAST_* rules coming with spamassassin. But honestly, I've never seen backdated spam that didn't get caught. Not because it was backdated alone, but because of various other rules that found spammish stuff in it.

    So in my opinion tweaking these rules so they alone score enough to tag the mail as spam is not such a good idea. If those mails come through most probably your SA setup is missing something.
     
  12. edge

    edge Active Member Moderator

    An other good way of not getting spam is by NOT posting your email address (the rrmaps.com one) on websites or in this case on forums!
     
  13. AlArenal

    AlArenal New Member

    You should have told me that some 10 years ago! ;)
     

Share This Page