Security Incidents mailing list archives
Spammers?
From: Christopher Wagner <chrisw () pacaids com>
Date: Thu, 27 Feb 2003 10:11:08 -0800
Good day all.. I'm encountering some rather annoying problems with my mail server. It appears as though someone is trying rather desperately to relay through my mail server, and using multiple boxes from all over the place to do it. They are all directed at pacbell.net and they're all from the commonly faked mail from:'s (ie: hotmail, mindspring, earthlink) Logs: Feb 25 07:12:02 goober postfix/smtpd[31398]: reject: RCPT from unknown[62.117.66.182]: 554 <idapaul () pacbell net>: Recipient address rejected: Relay access denied; from=<t1p2dj10x () earthlink net> to=<idapaul () pacbell net> Feb 25 07:12:08 goober postfix/smtpd[31398]: reject: RCPT from unknown[62.117.66.182]: 554 <idar () pacbell net>: Recipient address rejected: Relay access denied; from=<t1p2dj10x () earthlink net> to=<idar () pacbell net> Feb 25 07:12:13 goober postfix/smtpd[31398]: reject: RCPT from unknown[62.117.66.182]: 554 <idbyebye () pacbell net>: Recipient address rejected: Relay access denied; from=<t1p2dj10x () earthlink net> to=<idbyebye () pacbell net> Feb 25 07:12:19 goober postfix/smtpd[31398]: reject: RCPT from unknown[62.117.66.182]: 554 <idc () pacbell net>: Recipient address rejected: Relay access denied; from=<t1p2dj10x () earthlink net> to=<idc () pacbell net> -- Feb 25 07:10:37 goober postfix/smtpd[31398]: reject: RCPT from kamosbs.kamocci.or.jp[157.120.128.130]: 554 <gortons () pacbell net>: Recipient address rejected: Relay access denied; from=<r275rmd0b () mindspring com> to=<gortons () pacbell net> Feb 25 07:10:43 goober postfix/smtpd[31398]: reject: RCPT from kamosbs.kamocci.or.jp[157.120.128.130]: 554 <gos2 () pacbell net>: Recipient address rejected: Relay access denied; from=<r275rmd0b () mindspring com> to=<gos2 () pacbell net> Feb 25 07:10:48 goober postfix/smtpd[31398]: reject: RCPT from kamosbs.kamocci.or.jp[157.120.128.130]: 554 <gosaints () pacbell net>: Recipient address rejected: Relay access denied; from=<r275rmd0b () mindspring com> to=<gosaints () pacbell net> Feb 25 07:10:54 goober postfix/smtpd[31398]: reject: RCPT from kamosbs.kamocci.or.jp[157.120.128.130]: 554 <gosenior () pacbell net>: Recipient address rejected: Relay access denied; from=<r275rmd0b () mindspring com> to=<gosenior () pacbell net> -- Feb 25 07:12:25 goober postfix/smtpd[31398]: reject: RCPT from ppp-63-205-146-45.calvarycc.org[63.205.146.45]: 554 <jgerardi () pacbell net>: Recipient address rejected: Relay access denied; from=<wf97vp1tl4 () hotmail com> to=<jgerardi () pacbell net> Feb 25 07:12:30 goober postfix/smtpd[31398]: reject: RCPT from ppp-63-205-146-45.calvarycc.org[63.205.146.45]: 554 <jgerfen () pacbell net>: Recipient address rejected: Relay access denied; from=<wf97vp1tl4 () hotmail com> to=<jgerfen () pacbell net> Feb 25 07:12:35 goober postfix/smtpd[31398]: reject: RCPT from ppp-63-205-146-45.calvarycc.org[63.205.146.45]: 554 <jgerke () pacbell net>: Recipient address rejected: Relay access denied; from=<wf97vp1tl4 () hotmail com> to=<jgerke () pacbell net> -- And so on.. They seem pretty determined to relay, I dunno why, it ain't gonna happen. This seems to happen once a month or so, obviously from a variety of addresses. It almost looks suspiciously like these various machines have either been hacked or they're hiring out their bandwidth to a spammer. Any suggestions for tracking this down or should I just ignore it? It's not a real drain on my bandwidth or server capacity, the frequency isn't bothersome, just the log entries get annoying after awhile. It doesn't help matters by having all the sources be out of the US, it makes it more difficult to track down. Thanks folks.. - Christopher Wagner chrisw () pacaids com Packaging Aids Corporation - Information Systems P.O. Box 9144 San Rafael, CA 94912-9144 http://www.pacaids.com/ (415) 454-4868 x116 ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
Current thread:
- Spammers? Christopher Wagner (Mar 04)
- Re: Spammers? jlewis (Mar 04)
- Re: Spammers? Denis Dimick (Mar 04)
- RE: Spammers? James C Slora Jr (Mar 05)