smtp connections to nameservers IP

Hello,
The last two days I noticed an unusual trafic to my server.
Can someone tell me what is all these connections to 88.218.110.178?
88.218.110.178 is only set as an A record for ns1. How smtp connections is possible?

My IP addresses are:
88.218.110.178 - 179 for ns1 & ns2 nameservers
88.218.110.180 for mail server and mydomain
88.218.110.181 is a shared IP for some other domains

Thank you

Code:

[root@host1 ~]# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 *:mysql                     *:*                         LISTEN      2285/mysqld
tcp        0      0 *:sunrpc                    *:*                         LISTEN      2003/portmap
tcp        0      0 *:ndmp                      *:*                         LISTEN      13551/perl
tcp        0      0 *:hosts2-ns                 *:*                         LISTEN      2632/ispconfig_http
tcp        0      0 88.218.110.181:domain       *:*                         LISTEN      21949/named
tcp        0      0 host1.vfxhost.gr:domain     *:*                         LISTEN      21949/named
tcp        0      0 88.218.110.179:domain       *:*                         LISTEN      21949/named
tcp        0      0 88.218.110.178:domain       *:*                         LISTEN      21949/named
tcp        0      0 localhost.localdomai:domain *:*                         LISTEN      21949/named
tcp        0      0 *:squid                     *:*                         LISTEN      332/(squid)
tcp        0      0 *:smtp                      *:*                         LISTEN      32609/master
tcp        0      0 localhost.localdomain:rndc  *:*                         LISTEN      21949/named
tcp        0      0 88.218.110.178:40928        mx1-1.vip.spray.net:smtp    TIME_WAIT   -
tcp        0      0 88.218.110.178:35004        mx2-1.vip.spray.net:smtp    TIME_WAIT   -
tcp        0      0 88.218.110.178:55854        12.102.252.75:smtp          ESTABLISHED 1765/smtp
tcp        0      1 88.218.110.178:37728        webhosting.mminternet.:smtp SYN_SENT    -
tcp        0      1 88.218.110.178:37317        136.sabela.pl:smtp          SYN_SENT    1538/smtp
tcp        0      1 88.218.110.178:35058        smtp1.sandisk.com:smtp      SYN_SENT    1492/smtp
tcp        0      1 88.218.110.178:35004        smtp1.sandisk.com:smtp      SYN_SENT    1867/smtp
tcp        0      0 88.218.110.178:32817        63.137.9.204.srv.globa:smtp TIME_WAIT   -
tcp        0      0 88.218.110.178:34896        mta-v9.mail.vip.mud.ya:smtp ESTABLISHED 1954/smtp
tcp        0      0 88.218.110.178:34889        mta-v9.mail.vip.mud.ya:smtp ESTABLISHED 852/smtp
tcp        0      0 88.218.110.178:45566        mail-3.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:45516        mail-3.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:45520        mail-3.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:45750        mail-3.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:45753        mail-3.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:45796        mail-3.mminternet.com:smtp  TIME_WAIT   -
tcp        0     36 88.218.110.178:45800        mail-3.mminternet.com:smtp  ESTABLISHED 1607/scache
tcp        0      0 88.218.110.178:45789        mail-3.mminternet.com:smtp  ESTABLISHED 1500/smtp
tcp        0      0 88.218.110.178:45621        mail-3.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:45626        mail-3.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:45624        mail-3.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:45598        mail-3.mminternet.com:smtp  TIME_WAIT   -  
tcp        0      0 88.218.110.178:45599        mail-3.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:45686        mail-3.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:45690        mail-3.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:45991        mail-3.mminternet.com:smtp  ESTABLISHED 1759/smtp
tcp        0      0 88.218.110.178:46006        mail-3.mminternet.com:smtp  ESTABLISHED 1539/smtp
tcp        0      0 88.218.110.178:45974        mail-3.mminternet.com:smtp  ESTABLISHED 2007/smtp
tcp        0      0 88.218.110.178:45858        mail-3.mminternet.com:smtp  ESTABLISHED 1545/smtp
tcp        0      0 88.218.110.178:45891        mail-3.mminternet.com:smtp  ESTABLISHED 1494/smtp
tcp        0      1 88.218.110.178:53032        243.54.62.200.hosts.if:smtp SYN_SENT    1533/smtp
tcp        0      1 88.218.110.178:53018        243.54.62.200.hosts.if:smtp SYN_SENT    1501/smtp
tcp        0      0 88.218.110.178:33744        mta-v9.mail.vip.mud.ya:smtp TIME_WAIT   -
tcp        0      0 88.218.110.178:47537        mail.cccusa.net:smtp        TIME_WAIT   -
tcp        0      0 88.218.110.178:42737        mail-1.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:42743        mail-1.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:42745        mail-1.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:42727        mail-1.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:42729        mail-1.mminternet.com:smtp  TIME_WAIT   -
tcp        0     35 88.218.110.178:42925        mail-1.mminternet.com:smtp  ESTABLISHED 1521/smtp
tcp        0      0 88.218.110.178:42996        mail-1.mminternet.com:smtp  ESTABLISHED 1518/smtp
tcp        0      0 88.218.110.178:42975        mail-1.mminternet.com:smtp  ESTABLISHED 1866/smtp
tcp        0      0 88.218.110.178:42800        mail-1.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:42868        mail-1.mminternet.com:smtp  TIME_WAIT   -
tcp        0     34 88.218.110.178:42856        mail-1.mminternet.com:smtp  ESTABLISHED 1515/smtp
tcp        0      0 88.218.110.178:42863        mail-1.mminternet.com:smtp  ESTABLISHED 1467/smtp
tcp        0      0 88.218.110.178:42846        mail-1.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:55800        194.158.121.25:smtp         TIME_WAIT   -
tcp        0      0 88.218.110.178:43011        mail-1.mminternet.com:smtp  ESTABLISHED 1536/smtp
tcp        0      0 88.218.110.178:43009        mail-1.mminternet.com:smtp  ESTABLISHED 1468/smtp
tcp        0      0 88.218.110.178:42399        smtp-in.orange.fr:smtp      TIME_WAIT   -
tcp        0      0 88.218.110.178:34524        indignant.cnc.net:smtp      TIME_WAIT   -
tcp        0      0 88.218.110.178:34973        barracuda2.viawest.net:smtp TIME_WAIT   -
tcp        0      0 host1.vfxhost.gr:hosts2-ns  ppp34-141.adsl.forthn:64053 ESTABLISHED 2639/ispconfig_http
tcp        0      0 88.218.110.178:39752        mta-v2.mail.vip.re3.ya:smtp ESTABLISHED 1529/smtp
tcp        0      1 88.218.110.178:49753        venus.dreamam.com:smtp      SYN_SENT    1519/smtp
tcp        0      0 88.218.110.178:43725        ftp.access-bank.com:smtp    TIME_WAIT   -
tcp        0      0 88.218.110.178:43949        ftp.access-bank.com:smtp    TIME_WAIT   -
tcp        0      1 88.218.110.178:51353        mail-2.mminternet.com:smtp  SYN_SENT    -
tcp        0      1 88.218.110.178:51343        mail-2.mminternet.com:smtp  SYN_SENT    -
tcp        0      1 88.218.110.178:51388        mail-2.mminternet.com:smtp  SYN_SENT    -
tcp        0      1 88.218.110.178:51385        mail-2.mminternet.com:smtp  SYN_SENT    -
tcp        0      1 88.218.110.178:51376        mail-2.mminternet.com:smtp  SYN_SENT    -                         
tcp        0      1 88.218.110.178:51375        mail-2.mminternet.com:smtp  SYN_SENT    -
tcp        0      1 88.218.110.178:51363        mail-2.mminternet.com:smtp  SYN_SENT    -
tcp        0      1 88.218.110.178:51295        mail-2.mminternet.com:smtp  SYN_SENT    1762/smtp
tcp        0      1 88.218.110.178:51265        mail-2.mminternet.com:smtp  SYN_SENT    1527/smtp
tcp        0      1 88.218.110.178:51250        mail-2.mminternet.com:smtp  SYN_SENT    1610/smtp
tcp        0      1 88.218.110.178:51242        mail-2.mminternet.com:smtp  SYN_SENT    1513/smtp
tcp        0      0 88.218.110.178:39845        mx3.earthlink.net:smtp      ESTABLISHED -
.
.
.
tcp        0      0 *:imaps                     *:*                         LISTEN      2308/dovecot
tcp        0      0 *:pop3s                     *:*                         LISTEN      2308/dovecot
tcp        0      0 *:pop3                      *:*                         LISTEN      2308/dovecot
tcp        0      0 *:imap                      *:*                         LISTEN      2308/dovecot
tcp        0      0 *:http                      *:*                         LISTEN      27621/httpd
tcp        0      0 *:ftp                       *:*                         LISTEN      18290/proftpd: (acc
tcp        0      0 *:ssh                       *:*                         LISTEN      2176/sshd
tcp        0      0 ::1:rndc                    *:*                         LISTEN      21949/named
tcp        0      0 *:https                     *:*                         LISTEN      27621/httpd
tcp        0      0 ::ffff:88.218.110.181:http  livebot-65-54-188-13.:43408 TIME_WAIT   -
tcp        0    888 host1.vfxhost.gr:ssh        ppp34-141.adsl.forthn:64052 ESTABLISHED 2427/2
tcp        0      0 ::ffff:88.218.110.181:http  livebot-65-54-188-13.:43598 TIME_WAIT   -

 

Looks like somebody is trying to mail bomb you. If the sending IP address/domain is not delivering valid emails, I'd consider firewalling the *.mminternet.com addresses. It's now using your resources. mminternet.com is an (a)DSL provider and I guess they have a zombie botnet in their address space. You can consider contacting them.

 

I retrive a rejected mail today.
It say that my IP address 88.218.110.178 is black listed.
How can this happened? My mail server is not open rellay and I have do everything I know to protect it. Is this isue relayted to mminternet.com?

this is my etc/postfix/main.cf (for mail.v f x h o s t.gr)
Can I do something more here to improve security?

Code:

smtpd_helo_required = yes
disable_vrfy_command = yes

command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.2.8/samples
readme_directory = /usr/share/doc/postfix-2.2.8/README_FILES
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
mailbox_command = 

virtual_maps = hash:/etc/postfix/virtusertable

mydestination = /etc/postfix/local-host-names
maximal_queue_lifetime = 2d

 

Please run

Code:

postconf -e 'mynetworks = 127.0.0.0/8'
/etc/init.d/postfix restart

to make sure that only localhost can send without authentication.
Then check if your server is an open relay. If it isn't contact the maintainer of the blacklist and ask him to be removed.

 

Hello falko,
I edited the configuration for mynetworks but the problem remain.
To many smtp connections from diferent hosts.

I checked the relay here:
http://www.antispam-ufrj.pads.ufrj.br/cgi-bin/test-relay.cgi?host_to_test=88.218.110.180

Any good server security how-to?
Thank you

 

This is a part of my logs. What is going on?
I am not a spammer!!

EDIT --- I had to shut down postfix until solve the problem

 

Is it possible that one or more of your users have weak passwords that got cracked by spammers?
I think it's a good idea to change all passwords.

The test is ok.

 

I'm afraid changing all passwords is not possible. Is there any way to find which accound is spamming?

Looking at postfix users from webmin I found "shutdown, ftp, apache, daemon..." Is it possible this accouns to be used by hackers?


What is this?

 

Only by looking at the mail log.

Please check if your server got hacked: http://www.howtoforge.com/faq/1_38_en.html

 

Thanks falko,
No infections found.

logs look like this

What is "from=<>"

 

The sender (maybe a spammer) didn't specify a sender address.

If you can't find a hint which account is used to send spam, I'm afraid the only solution is to change all passwords.