Sendmail under attack?

[QatQat]

Hi everyone,


below is a very short extract from my logwatch.

  26 (25 max): from <bobcat@wris.com> via ctb-mesg9.saix.net, to
<bondmanship@doraskean.interchanges.net>: 1 Time(s)
     26 (25 max): from <bobcat@wris.com> via localhost, to
<bondmanship@doraskean.interchanges.net>: 2 Time(s)
     26 (25 max): from <deborahmccloskey@camper-net.com> via ctb-mesg3.saix.net, to
<iamjustsendingthisleter@defects.mistrusted.interchanges.net>: 1 Time(s)
     26 (25 max): from <deborahmccloskey@camper-net.com> via localhost, to
<iamjustsendingthisleter@defects.mistrusted.interchanges.net>: 2 Time(s)
     26 (25 max): from <deborahmichalak@calllpb.com> via ctb-mesg7.saix.net, to
<iamjustsendingthisleter@sawmill.collegiate.interchanges.net>: 1 Time(s)
     26 (25 max): from <deborahmichalak@calllpb.com> via localhost, to
<iamjustsendingthisleter@sawmill.collegiate.interchanges.net>: 2 Time(s)
     26 (25 max): from <deborahmilligan@camanche-ranch.com> via ctb-mesg2.saix.net,
to <iamjustsendingthisleter@defects.mistrusted.interchanges.net>: 1 Time(s)
     26 (25 max): from <deborahmilligan@camanche-ranch.com> via localhost, to
<iamjustsendingthisleter@defects.mistrusted.interchanges.net>: 2 Time(s)
     26 (25 max): from <deborahnoriega@cal-equity.com> via ctb-mesg8.saix.net, to
<iamjustsendingthisleter@henceforth.interchanges.net>: 1 Time(s)
     26 (25 max): from <deborahnoriega@cal-equity.com> via localhost, to
<iamjustsendingthisleter@henceforth.interchanges.net>: 2 Time(s)
     26 (25 max): from <deborahogzowrzufhot@bonecollectors.com> via
ctb-mesg5.saix.net, to <iamjustsendingthisleter@doraskean.interchanges.net>: 1
Time(s)

There are some other hundreds of lines like this and all concerning the same domain on my server (interchanges.net) and no other. I am hosting more than 10 domains for mail and only this one returns all this weird activities. Am I being attacked? Otherwise is happening and how do I stop this?


Thanks.

QatQat

Life is what happens when you are making other plans.

 

[Grenage]

I wouldn't say that was an attack, just a spammer attempting to use your server. You could block out the source, but they usually change mail and IP addresses quite frequently. How long has this been going on for?


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[QatQat]

Hi Grenage,


it happens every single day, and I had a suspicio that they were trynig to relay through my server.


I hace enabled DNSBL in sendmail but obviously, as you said, their address changes continuosly, hence they manage to not get blocked.



My Passwords are very strong and external relay is not allowed at all so I am not worried, just annoyed.
Any way I can stop them?


QatQat

Life is what happens when you are making other plans.

 

[Grenage]

This is the irksome part of spam control really. You cannot stop them without implementing some third party equipment, there needs to be an intelligent system that thinks "he's tried 500 times, he's probably a spammer". It will then just drop the connections.

You can't really block them manually yourself because there is no real way for it to tell a legitimate attempt from a spammer.

We use a Ciphertrust Ironmail here, which manages spam connections and blacklists certain IP addresses and ranges. It might well be overkill for your needs if you're only getting a thousand or so of those connection attempts per day. Personally, I'd probably leave it unless the connection was becoming choked.


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.