I'm analyzing the maillog when my server was attacked and when it was sending spam,
in the maillog I have thousands of lines like this:
Quote:
Oct 2 04:57:16 netstar postfix/error[31271]: BF1725945: to=<test@members.linode.com>, relay=none, delay=147692, delays=147691/0.19/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to members.linode.com[67.18.186.61]:25:
Connection refused)
Oct 2 09:47:16 netstar postfix/qmgr[22640]: A8E0C52F8: from=<test@members.linode.com>, size=1368, nrcpt=1 (queue active)
Oct 2 09:47:16 netstar postfix/qmgr[22640]: A6BBA5561: from=<>, size=6300, nrcpt=1 (queue active)
and there is hundred of mail like this that confirms that they used postfix to send out the spam:
Quote:
Oct 2 11:54:38 netstar postfix/qmgr[22640]: D6097524C: from=<test@members.linode.com>, size=2018, nrcpt=1 (queue active)
Oct 2 11:54:38 netstar postfix/smtp[9053]: 2746851F5: to=<colton.adams@manordev.ch>, relay=feed.alexb.ch[91.208.173.143]:25, delay=1.2, delays=0.25/0/0.71/0.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D3D0F40130)
Don't understand what QMGR is and how they have sent message from
test@members.linode.com using my VPS while I don't have test user and my domain name is not related with linode.com
I added this:
reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_destination
to the
smtpd_sender_restrictions
after the attack, do you think that that was the cause of the connection from the test account?
I haven't set that restrictions when I was attacked. Do you think that this was the cause?
I haven't any test account on my system.
FAQ
Search
Members
Register
Login [ Anonymous ]
