sweh wrote:
It is, now!
You are welcome, talk where you want but do that without me
| Linode Forum https://forum.linode.com/ |
|
| My linode has been banned for SPAM! Please help. https://forum.linode.com/viewtopic.php?f=11&t=10478 |
Page 2 of 2 |
| Author: | sblantipodi [ Fri Oct 04, 2013 1:18 pm ] |
| Post subject: | Re: My linode has been banned for SPAM! Please help. |
sweh wrote: It is, now! You are welcome, talk where you want but do that without me
|
|
| Author: | sblantipodi [ Fri Oct 04, 2013 3:22 pm ] |
| Post subject: | Re: My linode has been banned for SPAM! Please help. |
thread for my disappointing: viewtopic.php?f=22&t=10480 |
|
| Author: | sblantipodi [ Sat Oct 05, 2013 8:58 am ] |
| Post subject: | Re: My linode has been banned for SPAM! Please help. |
Code: Oct 5 14:50:59 netstar postfix/smtpd[3849]: lost connection after UNKNOWN from unknown[220.172.191.30] I'm again under attack but this time my postfix is saying fuckoff to them, damn bastards. I'm receving hundred of message like the one I quoted in the maillog. Now I banned that IP with iptables. I need to add a rule in fail2ban to ban this type of request. Have you got an idea on how to add a rule in fail2ban to ban this kind of request? |
|
| Author: | sleddog [ Sat Oct 05, 2013 9:12 am ] |
| Post subject: | Re: My linode has been banned for SPAM! Please help. |
Something like this: Code: /etc/fail2ban/filter.d/dovecot-pop3imap.conf Edit as necessary of course.... |
|
| Author: | sblantipodi [ Sat Oct 05, 2013 9:30 am ] |
| Post subject: | Re: My linode has been banned for SPAM! Please help. |
I'm analyzing the maillog when my server was attacked and when it was sending spam, in the maillog I have thousands of lines like this: Quote: Oct 2 04:57:16 netstar postfix/error[31271]: BF1725945: to=<test@members.linode.com>, relay=none, delay=147692, delays=147691/0.19/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to members.linode.com[67.18.186.61]:25: Connection refused) Oct 2 09:47:16 netstar postfix/qmgr[22640]: A8E0C52F8: from=<test@members.linode.com>, size=1368, nrcpt=1 (queue active) Oct 2 09:47:16 netstar postfix/qmgr[22640]: A6BBA5561: from=<>, size=6300, nrcpt=1 (queue active) and there is hundred of mail like this that confirms that they used postfix to send out the spam: Quote: Oct 2 11:54:38 netstar postfix/qmgr[22640]: D6097524C: from=<test@members.linode.com>, size=2018, nrcpt=1 (queue active) Oct 2 11:54:38 netstar postfix/smtp[9053]: 2746851F5: to=<colton.adams@manordev.ch>, relay=feed.alexb.ch[91.208.173.143]:25, delay=1.2, delays=0.25/0/0.71/0.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D3D0F40130) Don't understand what QMGR is and how they have sent message from test@members.linode.com using my VPS while I don't have test user and my domain name is not related with linode.com I added this: reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_destination to the smtpd_sender_restrictions after the attack, do you think that that was the cause of the connection from the test account? I haven't set that restrictions when I was attacked. Do you think that this was the cause? I haven't any test account on my system. |
|
| Page 2 of 2 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|