Re: A different kind of attack/probe, how can postfix defend against it?

Subject:	Re: A different kind of attack/probe, how can postfix defend against it?
From:	Justin Piszcz <jpiszcz AT lucidpixels DOT com>
To:	Robert Schetterer <robert AT schetterer DOT org>
Date:	Thu, 9 Aug 2007 13:16:12 -0400 (EDT)



On Thu, 9 Aug 2007, Robert Schetterer wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Justin Piszcz schrieb:

Recently, I saw this in my logs:

With iptables I guess I could specify something to block port 25 if it
gets hit too many times from _ANY_ ip but that would block legitimate
mail; however, it seems as if it the only or best option?

Aug  9 12:47:19 l2 postfix/smtpd[12676]: connect from
mx181.populationarea.com[69.31.50.181]
Aug  9 12:47:24 l2 postfix/smtpd[12676]: disconnect from
mx181.populationarea.com[69.31.50.181]
Aug  9 12:47:26 l2 postfix/smtpd[12676]: connect from
mx190.webcastersradio.com[69.31.50.190]
Aug  9 12:47:30 l2 postfix/smtpd[12676]: disconnect from
mx190.webcastersradio.com[69.31.50.190]
Aug  9 12:47:31 l2 postfix/smtpd[12676]: connect from
mx184.shippingkick.com[69.31.50.184]
Aug  9 12:47:35 l2 postfix/smtpd[12676]: disconnect from
mx184.shippingkick.com[69.31.50.184]
Aug  9 12:47:36 l2 postfix/smtpd[12676]: connect from
mx184.shippingkick.com[69.31.50.184]
Aug  9 12:47:41 l2 postfix/smtpd[12676]: disconnect from
mx184.shippingkick.com[69.31.50.184]
Aug  9 12:47:43 l2 postfix/smtpd[12676]: connect from
mx184.shippingkick.com[69.31.50.184]
Aug  9 12:47:47 l2 postfix/smtpd[12676]: disconnect from
mx184.shippingkick.com[69.31.50.184]
Aug  9 12:47:49 l2 postfix/smtpd[12676]: connect from
mx186.shippingkick.com[69.31.50.186]
Aug  9 12:47:53 l2 postfix/smtpd[12676]: disconnect from
mx186.shippingkick.com[69.31.50.186]
Aug  9 12:47:54 l2 postfix/smtpd[12676]: connect from
mx186.shippingkick.com[69.31.50.186]
Aug  9 12:47:59 l2 postfix/smtpd[12676]: disconnect from
mx186.shippingkick.com[69.31.50.186]
Aug  9 12:48:01 l2 postfix/smtpd[12676]: connect from
mx186.shippingkick.com[69.31.50.186]
Aug  9 12:48:05 l2 postfix/smtpd[12676]: disconnect from
mx186.shippingkick.com[69.31.50.186]
Aug  9 12:48:07 l2 postfix/smtpd[12676]: connect from
mx166.censusarea.com[69.31.50.166]
Aug  9 12:48:11 l2 postfix/smtpd[12676]: disconnect from
mx166.censusarea.com[69.31.50.166]
Aug  9 12:48:12 l2 postfix/smtpd[12676]: connect from
mx166.censusarea.com[69.31.50.166]
Aug  9 12:48:22 l2 postfix/smtpd[12676]: disconnect from
mx166.censusarea.com[69.31.50.166]
Aug  9 12:48:23 l2 postfix/smtpd[12676]: connect from
mx173.officecent.com[69.31.50.173]
Aug  9 12:48:27 l2 postfix/smtpd[12676]: disconnect from
mx173.officecent.com[69.31.50.173]
Aug  9 12:48:28 l2 postfix/smtpd[12676]: connect from
mx172.officecent.com[69.31.50.172]
Aug  9 12:48:33 l2 postfix/smtpd[12676]: disconnect from
mx172.officecent.com[69.31.50.172]
Aug  9 12:48:35 l2 postfix/smtpd[12676]: connect from
mx168.offcentral.com[69.31.50.168]
Aug  9 12:48:39 l2 postfix/smtpd[12676]: disconnect from
mx168.offcentral.com[69.31.50.168]
Aug  9 12:48:41 l2 postfix/smtpd[12676]: connect from
mx163.censusarea.com[69.31.50.163]
Aug  9 12:48:45 l2 postfix/smtpd[12676]: disconnect from
mx163.censusarea.com[69.31.50.163]
Aug  9 12:48:46 l2 postfix/smtpd[12676]: connect from
mx163.censusarea.com[69.31.50.163]
Aug  9 12:48:51 l2 postfix/smtpd[12676]: disconnect from
mx163.censusarea.com[69.31.50.163]
Aug  9 12:48:52 l2 postfix/smtpd[12676]: connect from
mx179.populationarea.com[69.31.50.179]
Aug  9 12:48:56 l2 postfix/smtpd[12676]: disconnect from
mx179.populationarea.com[69.31.50.179]
Aug  9 12:48:58 l2 postfix/smtpd[12676]: connect from
mx183.shippingkick.com[69.31.50.183]
Aug  9 12:49:02 l2 postfix/smtpd[12676]: disconnect from
mx183.shippingkick.com[69.31.50.183]
Aug  9 12:49:03 l2 postfix/smtpd[12676]: connect from
mx188.webcastersradio.com[69.31.50.188]
Aug  9 12:49:08 l2 postfix/smtpd[12676]: disconnect from
mx188.webcastersradio.com[69.31.50.188]
Aug  9 12:49:10 l2 postfix/smtpd[12676]: connect from
mx178.populationarea.com[69.31.50.178]
Aug  9 12:49:14 l2 postfix/smtpd[12676]: disconnect from
mx178.populationarea.com[69.31.50.178]

i installed fail2ban yesterday , this may help, but if you know the ips
i would simple drop them static with iptables, or perhaps their whole net

- --
Mit freundlichen Gruessen
Best Regards

Robert Schetterer

Germany/Bavaria/Munich
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFGu0pofGH2AvR16oERAmbyAJ9uTuOBMY+z0AaoFeNpGsMkas4XEACfT534
gvA8oaOkj0htlixXMU01du8=
=g5IF
-----END PGP SIGNATURE-----

I agree, fail2ban rocks and I use it all the time but this attack was frommany different IPs and not just a few (there were more)..


Justin.

<Prev in Thread]	Current Thread	[Next in Thread>
A different kind of attack/probe, how can postfix defend against it?, Justin Piszcz Re: A different kind of attack/probe, how can postfix defend against it?, Robert Schetterer Re: A different kind of attack/probe, how can postfix defend against it?, Justin Piszcz <= Re: A different kind of attack/probe, how can postfix defend against it?, John Beaver Re: A different kind of attack/probe, how can postfix defend against it?, Listaccount

Previous by Date:	Re: A different kind of attack/probe, how can postfix defend against it?, Robert Schetterer
Next by Date:	Re: A different kind of attack/probe, how can postfix defend against it?, John Beaver
Previous by Thread:	Re: A different kind of attack/probe, how can postfix defend against it?, Robert Schetterer
Next by Thread:	Re: A different kind of attack/probe, how can postfix defend against it?, John Beaver
Indexes:	[Date] [Thread] [Top] [All Lists]