[Site Home] [Forum Home] [Articles] [File DB] [News Archives]

Networks/Telecom/Security -> Email Server Attack??


(View original topic)


ladytech - Jan-31-2004 server time
From the log and the timing plus the recent 'mydoom' virus. I would say your server like all the others in the world right now is receiving email from the 'mydoom' virus. This virus can spoof an address which is why the 'unknown user' It will probably continue until the virus is under control. My email servers have been experiencing the same problems for about the same time period as you mention. Try not to block the IP's though. If the email is going to your server that means the virus got the domain address from someone who has you or one of your users in their address book. You may find out you have complaints later from people who can no longer email you or your users.

Make sure you virus protection for your email server is up to date. I wouldn't worry too much about DDS right now. This virus is aiming for SCO and Microsoft.

you may want to warn people you email frequently though that one of them probably has the virus.

Red Squirrel - Jan-31-2004 server time
Glad you like it. check out the cybervillage area, we have some neat toys there. You can't buy much yet but save up. em320.gif

Equalizer - Jan-31-2004 server time
QUOTE (Red Squirrel @ Jan 31 2004, 12:53 AM)
Oh, and welcome to the forums. wave.gif

Thanx smile.gif

Pretty impressive.



Equalizer - Jan-31-2004 server time
QUOTE (Red Squirrel @ Jan 31 2004, 12:52 AM)
Hmmm, does not really look that suspicious, but I don't know that software either so it's hard to tell. But by looking at the time stamps, I don't think it's spam, unless it's being done slowly, which usually is not the case durring attacks. It could be another type of attack, but that I'm not sure either. Best thing to do is block the IP/email and go from there.

Thanx for the response.

I was thinking it might be some attempt to slow down my server or something.

It's probably more for annoyance sake then anything else. I wouldn't have even noticed it if I wasn't such a LOG/CONTROL freak.. cool.gif

In any case, thanks again. I just wanted to make sure it wasn't something serious or a prelude to something serious.

As Mr Spock would say, "A difference which makes no difference, IS no difference."




brandon - Jan-30-2004 server time
DoS maybe????

But then again, the attacks seem to infrequent.

Red Squirrel - Jan-30-2004 server time
Oh, and welcome to the forums. wave.gif

Red Squirrel - Jan-30-2004 server time
Hmmm, does not really look that suspicious, but I don't know that software either so it's hard to tell. But by looking at the time stamps, I don't think it's spam, unless it's being done slowly, which usually is not the case durring attacks. It could be another type of attack, but that I'm not sure either. Best thing to do is block the IP/email and go from there.

Equalizer - Jan-30-2004 server time
I have been seeing some wierd entries in my /var/log/maillog. It's been going on constantly for almost a week. I suspect harrassment. That someone is making an "attack" on my mail server. Or it could be something as simple as I misconfigured my server.

What will happen is the emails appear to some from one IP. I will then put the IP in my /etc/mail/access file with a REJECT tag and then, after a few attempts, the UNKNOWN USER emails will start from a new and totally unrelated IP. And so on and so on.

Any clue as to exactly what this is would be most appreciated.

My system is Fedora Core 1 and I am using Sendmail with Spamassassin.


Here are the relevant log entries:

Jan 30 21:56:29 pln sendmail[13265]: i0V2uQuE013265: <steve@pln.cc>... User unknown
Jan 30 21:56:31 pln sendmail[13265]: i0V2uQuE013265: lost input channel from vsat-148-63-176-3.c189.t7.mrt.starband.net [148.63.176.3] to MTA after rcpt
Jan 30 21:56:31 pln sendmail[13265]: i0V2uQuE013265: from=<peter@netnitco.net>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=vsat-148-63-176-3.c189.t7.mrt.starband.net [148.63.176.3]
Jan 30 21:56:57 pln sendmail[13266]: i0V2upuE013266: <steve@pln.cc>... User unknown
Jan 30 21:56:59 pln sendmail[13266]: i0V2upuE013266: lost input channel from vsat-148-63-176-3.c189.t7.mrt.starband.net [148.63.176.3] to MTA after rcpt
Jan 30 21:56:59 pln sendmail[13266]: i0V2upuE013266: from=<peter@netnitco.net>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=vsat-148-63-176-3.c189.t7.mrt.starband.net [148.63.176.3]
Jan 30 21:57:46 pln sendmail[13269]: i0V2vQuE013269: <steve@pln.cc>... User unknown
Jan 30 21:57:50 pln sendmail[13269]: i0V2vQuE013269: lost input channel from vsat-148-63-176-3.c189.t7.mrt.starband.net [148.63.176.3] to MTA after rcpt

Jan 30 22:48:46 pln sendmail[13461]: i0V3mjuE013461: <jim@pln.cc>... User unknown
Jan 30 22:48:46 pln sendmail[13461]: i0V3mjuE013461: lost input channel from dt153nbd.tampabay.rr.com [24.92.199.189] to MTA after rcpt
Jan 30 22:48:46 pln sendmail[13461]: i0V3mjuE013461: from=<sales@studiotec.fi>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=dt153nbd.tampabay.rr.com [24.92.199.189]
Jan 30 22:49:08 pln sendmail[13462]: i0V3n7uE013462: <jim@pln.cc>... User unknown
Jan 30 22:49:08 pln sendmail[13462]: i0V3n7uE013462: lost input channel from dt153nbd.tampabay.rr.com [24.92.199.189] to MTA after rcpt
Jan 30 22:49:08 pln sendmail[13462]: i0V3n7uE013462: from=<sales@studiotec.fi>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=dt153nbd.tampabay.rr.com [24.92.199.189]
Jan 30 23:02:35 pln sendmail[13527]: i0V42ZuE013527: <maria@pln.cc>... User unknown
Jan 30 23:02:35 pln sendmail[13527]: i0V42ZuE013527: from=<>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=whsecure2.net [66.250.218.13]
Jan 30 23:11:26 pln sendmail[13555]: i0V4BPuE013555: <matt@pln.cc>... User unknown
Jan 30 23:11:26 pln sendmail[13555]: i0V4BPuE013555: from=<>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=ms-smtp-04-smtplb.tampabay.rr.com [65.32.5.134]
Jan 30 23:13:31 pln sendmail[13559]: i0V4DSuE013559: <david@pln.cc>... User unknown
Jan 30 23:13:37 pln sendmail[13559]: i0V4DSuE013559: lost input channel from vsat-148-63-176-3.c189.t7.mrt.starband.net [148.63.176.3] to MTA after rcpt
Jan 30 23:13:37 pln sendmail[13559]: i0V4DSuE013559: from=<leo@freemail.hu>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=vsat-148-63-176-3.c189.t7.mrt.starband.net [148.63.176.3]
Jan 30 23:14:01 pln sendmail[13562]: i0V4DxuE013562: <david@pln.cc>... User unknown
Jan 30 23:14:02 pln sendmail[13562]: i0V4DxuE013562: lost input channel from vsat-148-63-176-3.c189.t7.mrt.starband.net [148.63.176.3] to MTA after rcpt
Jan 30 23:14:02 pln sendmail[13562]: i0V4DxuE013562: from=<leo@freemail.hu>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=vsat-148-63-176-3.c189.t7.mrt.starband.net [148.63.176.3]

(Showing 50 last posts, newest on top)