VRFY postmaster [rejected]

[zvrcvm]

Hi,
I have my maillog full of this lines:

Aug 21 09:33:39 www sendmail[33659]: h7LGXdXZ033659: [111.222.33.44]: VRFY postmaster [rejected]
Aug 21 09:34:04 www sendmail[35130]: h7LGY4XZ035130: fw0.domainname.com [123.45.67.89]: VRFY postmaster [rejected]
Aug 21 09:34:09 www sendmail[35406]: h7LGY9XZ035406: [111.222.33.44]: VRFY postmaster [rejected]
Aug 21 09:34:34 www sendmail[35542]: h7LGYYXZ035542: fw0.domainname.com [123.45.67.89]: VRFY postmaster [rejected]
Aug 21 09:34:39 www sendmail[35565]: h7LGYdXZ035565: [111.222.33.44]: VRFY postmaster [rejected]
Aug 21 09:35:04 www sendmail[35954]: h7LGZ4XZ035954: fw0.domainname.com [123.45.67.89]: VRFY postmaster [rejected]
Aug 21 09:35:09 www sendmail[35994]: h7LGZ9XZ035994: [111.222.33.44]: VRFY postmaster [rejected]
Aug 21 09:35:34 www sendmail[36142]: h7LGZYXZ036142: fw0.domainname.com [123.45.67.89]: VRFY postmaster [rejected]

As you can see, these lines are repeated every 30 secs.

What does it mean and how can I fix it?

Thanks

G.

 

[Rhinokiller]

I hate to state the obvious but do you have a postmaster account properly set up on this box ?

There is no God, only 10001010

 

[zvrcvm]

yes I have.
And, the IP addresses and domainname that appear in the log are always the same and do not have any relation with my server...

 

[Rhinokiller]

Is this a new install or a system that has been running for a while and this just started lappening ?

Did you check and see if you are running an open relay ?

The new SoBig worms are probing right now looking for open relays. Version F of SoBig is dangerous because it has a spammer like mentality.

There is no God, only 10001010

 

[zvrcvm]

My server is running from several months. This started about 2 weeks ago.

I'm not running any open relay. I'm relaying my own domains only.

I had 2 spamming attacks yesterdays on 2 different 'open formmail' scripts, but I have immediately closed them and this has no ralation with the problem.

I know Sobig F, I do not think it is the responsible.

The only thing I can add is that I realized in this moment that the domainname that appears in maillog is my colocation provider...

 

[Rhinokiller]

Did you try entering the offending IP addresses in your access file with a REJECT.

There is no God, only 10001010

 

[zvrcvm]

I've just tried, and the result is that now it is filling my maillog with this:

Aug 21 12:39:52 www sendmail[76060]: ruleset=check_relay, arg1=[111.222.33.44], arg2=111.222.33.44, relay=[111.222.33.44], reject=550 5.7.1 Access denied
Aug 21 12:39:55 www sendmail[76089]: ruleset=check_relay, arg1=fw0.domainname.com, arg2=123.45.67.89, relay=fw0.domainname.com [123.45.67.89], reject=550 5.7.1 Access denied
Aug 21 12:40:22 www sendmail[76545]: ruleset=check_relay, arg1=[111.222.33.44], arg2=111.222.33.44, relay=[111.222.33.44], reject=550 5.7.1 Access denied
Aug 21 12:40:25 www sendmail[76560]: ruleset=check_relay, arg1=fw0.domainname.com, arg2=123.45.67.89, relay=fw0.domainname.com [123.45.67.89], reject=550 5.7.1 Access denied

Any more to do?? ( I just tried to cry, but with no results ... ))

 

[Rhinokiller]

That is what you should have gotten. The messages don't make it to the mailer anymore, they are simply discarded. I have hundreds of these per day on my mail server from access lists I have created blocking spammers etc

If these messages are coming every 30 seconds could there be an infected PC somewhere on your wire at your co-location provider that is mail bombing you ?

There is no God, only 10001010

 

[zvrcvm]

Thanks.
I will ask my colocation provider to check this.

 

[onepair]

Could also filter the ip with Netfilter (iptables) or old ipchains if you still use it and never hear from or see again.

 

[zvrcvm]

Thanks openpair,

but, my server works on freeBSD.
Aren't Netfilter / ipchains for Linux only??