Spammers?

[Christopher Wagner <chrisw () pacaids com>]

Good day all..

I'm encountering some rather annoying problems with my mail server.

It appears as though someone is trying rather desperately to relay through
my mail server, and using multiple boxes from all over the place to do it.
They are all directed at pacbell.net and they're all from the commonly faked
mail from:'s (ie: hotmail, mindspring, earthlink)

Logs:

Feb 25 07:12:02 goober postfix/smtpd[31398]: reject: RCPT from
unknown[62.117.66.182]: 554 <idapaul () pacbell net>: Recipient address
rejected: Relay access denied; from=<t1p2dj10x () earthlink net>
to=<idapaul () pacbell net>
Feb 25 07:12:08 goober postfix/smtpd[31398]: reject: RCPT from
unknown[62.117.66.182]: 554 <idar () pacbell net>: Recipient address rejected:
Relay access denied; from=<t1p2dj10x () earthlink net> to=<idar () pacbell net>
Feb 25 07:12:13 goober postfix/smtpd[31398]: reject: RCPT from
unknown[62.117.66.182]: 554 <idbyebye () pacbell net>: Recipient address
rejected: Relay access denied; from=<t1p2dj10x () earthlink net>
to=<idbyebye () pacbell net>
Feb 25 07:12:19 goober postfix/smtpd[31398]: reject: RCPT from
unknown[62.117.66.182]: 554 <idc () pacbell net>: Recipient address rejected:
Relay access denied; from=<t1p2dj10x () earthlink net> to=<idc () pacbell net>
--
Feb 25 07:10:37 goober postfix/smtpd[31398]: reject: RCPT from
kamosbs.kamocci.or.jp[157.120.128.130]: 554 <gortons () pacbell net>: Recipient
address rejected: Relay access denied; from=<r275rmd0b () mindspring com>
to=<gortons () pacbell net>
Feb 25 07:10:43 goober postfix/smtpd[31398]: reject: RCPT from
kamosbs.kamocci.or.jp[157.120.128.130]: 554 <gos2 () pacbell net>: Recipient
address rejected: Relay access denied; from=<r275rmd0b () mindspring com>
to=<gos2 () pacbell net>
Feb 25 07:10:48 goober postfix/smtpd[31398]: reject: RCPT from
kamosbs.kamocci.or.jp[157.120.128.130]: 554 <gosaints () pacbell net>:
Recipient address rejected: Relay access denied;
from=<r275rmd0b () mindspring com> to=<gosaints () pacbell net>
Feb 25 07:10:54 goober postfix/smtpd[31398]: reject: RCPT from
kamosbs.kamocci.or.jp[157.120.128.130]: 554 <gosenior () pacbell net>:
Recipient address rejected: Relay access denied;
from=<r275rmd0b () mindspring com> to=<gosenior () pacbell net>
--
Feb 25 07:12:25 goober postfix/smtpd[31398]: reject: RCPT from
ppp-63-205-146-45.calvarycc.org[63.205.146.45]: 554 <jgerardi () pacbell net>:
Recipient address rejected: Relay access denied;
from=<wf97vp1tl4 () hotmail com> to=<jgerardi () pacbell net>
Feb 25 07:12:30 goober postfix/smtpd[31398]: reject: RCPT from
ppp-63-205-146-45.calvarycc.org[63.205.146.45]: 554 <jgerfen () pacbell net>:
Recipient address rejected: Relay access denied;
from=<wf97vp1tl4 () hotmail com> to=<jgerfen () pacbell net>
Feb 25 07:12:35 goober postfix/smtpd[31398]: reject: RCPT from
ppp-63-205-146-45.calvarycc.org[63.205.146.45]: 554 <jgerke () pacbell net>:
Recipient address rejected: Relay access denied;
from=<wf97vp1tl4 () hotmail com> to=<jgerke () pacbell net>
--
And so on..  They seem pretty determined to relay, I dunno why, it ain't
gonna happen.  This seems to happen once a month or so, obviously from a
variety of addresses.  It almost looks suspiciously like these various
machines have either been hacked or they're hiring out their bandwidth to a
spammer.

Any suggestions for tracking this down or should I just ignore it?  It's not
a real drain on my bandwidth or server capacity, the frequency isn't
bothersome, just the log entries get annoying after awhile.  It doesn't help
matters by having all the sources be out of the US, it makes it more
difficult to track down.

Thanks folks..

- Christopher Wagner
chrisw () pacaids com

Packaging Aids Corporation - Information Systems
P.O. Box 9144
San Rafael, CA 94912-9144
http://www.pacaids.com/
(415) 454-4868 x116
 

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>