[TriLUG] Weird postfix logs
Matthew Pusateri
mpusateri at wickedtrails.com
Sat Oct 4 12:46:33 EDT 2008
Yes it's spammers, are you using RBL's to drop connections, or
rejecting on FQDN? Basically after the initial connection is made, the
connection is dropped either by them or you after the DATA command is
issued. It may just be someone checking smtp IP's. I got hammered a
couple of weeks ago with spam bots, 89K messages on Friday, 279K on
Sat, 139K on Sunday. I ended up removing a alias temporarily. Also
if your running imap/pop3 on the box, you will see dictionary attacks
on those similar to SSH.
Matt P.
On Oct 4, 2008, at 10:07 AM, Tarus Balog wrote:
> Gang:
>
> Lately I've been seeing lots of messages like this in my postfix logs:
>
> Oct 4 09:13:59 server1 postfix/smtpd[26998]: lost connection after
> DATA (0 bytes) from unknown[201.79.251.232]
> Oct 4 09:14:13 server1 postfix/smtpd[28246]: lost connection after
> DATA (0 bytes) from unknown[201.79.251.232]
> Oct 4 09:27:59 server1 postfix/smtpd[28398]: lost connection after
> DATA (0 bytes) from unknown[203.81.217.159]
> Oct 4 09:32:19 server1 postfix/smtpd[28398]: lost connection after
> DATA (0 bytes) from unknown[12.228.0.5]
> Oct 4 09:33:14 server1 postfix/smtpd[28398]: lost connection after
> DATA (0 bytes) from unknown[221.143.206.83]
>
> I assume it is spammers, but it just started for me recently and I was
> curious if anyone else had seen this.
>
> -T
> _______________________________________________________________________
> Tarus Balog, OpenNMS Maintainer Main: +1 919 533 0160
> The OpenNMS Group, Inc. Fax: +1 503 961 7746
> Email: tarus at opennms.org URL: http://
> www.opennms.org
> PGP Key Fingerprint: 8945 8521 9771 FEC9 5481 512B FECA 11D2 FD82
> B45C
>
> --
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
More information about the TriLUG
mailing list