Jump to content

Archived

This topic is now archived and is closed to further replies.

tomfmason

Mail server... relay attack??

Recommended Posts

I created a socket smtp server and I think that it is being used to relay messages. I have disabled it now but I am wondering if I am right.

Here is part of my log.

[code]
T 20060709 145550 44af5598 Connection from 61.230.66.156
T 20060709 145551 44af5598 helo www.MyMainServer.com
T 20060709 145551 44af5598 mail from:<michael78694@MyMainServer.com>
T 20060709 145552 44af5598 rcpt to:<nomail12356@yahoo.com.hk>
E 20060709 145552 44af5598 Relay attempt by 61.230.66.156: from <michael78694@MyMainServer.com> to <nomail12356@yahoo.com.hk>.
T 20060709 145552 44af5598 Connection closed with 61.230.66.156, 2 sec. elapsed.

T 20060710 090212 44af55a3 HELO 68.99.113.17
T 20060710 090212 44af55a3 MAIL FROM: <fsfhhrret@msa.hinet.net>
T 20060710 090212 44af55a3 RCPT TO: <bbb1@so-net.net.tw>
E 20060710 090212 44af55a3 Relay attempt by 59.112.84.200: from <fsfhhrret@msa.hinet.net> to <bbb1@so-net.net.tw>.
T 20060710 090213 44af55a3 Connection closed with 59.112.84.200, 2 sec. elapsed.
T 20060711 025413 44b28d53 Connection from 211.228.100.196
T 20060711 025414 44b28d53 HELO lwoyma.com
T 20060711 025414 44b28d53 MAIL FROM: <dind@sxjjio.com>
T 20060711 025414 44b28d53 RCPT TO: <lvmanias@daum.net>
E 20060711 025415 44b28d53 Relay attempt by 211.228.100.196: from <dind@sxjjio.com> to <lvmanias@daum.net>.
T 20060711 025415 44b28d53 Connection closed with 211.228.100.196, 2 sec. elapsed.
T 20060712 074621 44b28d54 Connection from 59.117.206.209
T 20060712 074622 44b28d54 helo www.MyMainServer.com
T 20060712 074622 44b28d54 mail from:<michael78694@MyMainServer.com>
T 20060712 074623 44b28d54 rcpt to:<nomail12356@yahoo.com.hk>
E 20060712 074623 44b28d54 Relay attempt by 59.117.206.209: from <michael78694@MyMainServer.com> to <nomail12356@yahoo.com.hk>.
T 20060712 074623 44b28d54 Connection closed with 59.117.206.209, 3 sec. elapsed.
T 20060712 094255 44b4b6e7 Connection from 68.1.19.10
T 20060712 094256 44b4b6e7 Connection closed with 68.1.19.10, 1 sec. elapsed.
T 20060712 094457 44b4b6e8 Connection from 68.1.19.10
T 20060712 094457 44b4b6e8 Connection closed with 68.1.19.10, 0 sec. elapsed.
T 20060712 181932 44b4b6e9 Connection from 59.112.82.158
T 20060712 181932 44b4b6e9 HELO 68.99.113.17
T 20060712 181932 44b4b6e9 MAIL FROM: <fsfhhrret@msa.hinet.net>
T 20060712 181933 44b4b6e9 RCPT TO: <bbb1@so-net.net.tw>
E 20060712 181933 44b4b6e9 Relay attempt by 59.112.82.158: from <fsfhhrret@msa.hinet.net> to <bbb1@so-net.net.tw>.
T 20060712 181933 44b4b6e9 Connection closed with 59.112.82.158, 1 sec. elapsed.
T 20060713 034959 44b4b6ea Connection from 203.128.172.235
T 20060713 035000 44b4b6ea HELO cirtsq.com
T 20060713 035000 44b4b6ea MAIL FROM: <btso@vdlvls.com>
T 20060713 035000 44b4b6ea RCPT TO: <lvmanias@hanmail.net>
E 20060713 035000 44b4b6ea Relay attempt by 203.128.172.235: from <btso@vdlvls.com> to <lvmanias@hanmail.net>.
T 20060713 035000 44b4b6ea Connection closed with 203.128.172.235, 1 sec. elapsed.
[/code]


There are many of these. People are trying to relay spam through my mail server. From what I can see it is not working but this has go me a bit worried.

Any added security measures that you can recomend would be great.

Thanks,
Tom

Share this post


Link to post
Share on other sites
Did you write the script or are you using mailer()? If this is your own code and you are using it to send mail from your box only, try binding your mailer to localhost/12.0.0.1. IE, if the incoming connection, is not localhost or 127.0.0.1, deny access - simple but effective.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.