This Is A Spammer Atack ?

**Alexandre Duran** · 12-28-2004 01:02 PM

Hi,

One of my servers is down every 2-3 hours.
I found towsands of this entries in my exim logs:

2004-12-28 14:57:57 H=(adsl-68-252-254-67.dsl.chcgil.ameritech.net) [68.252.254.67] F=<R4667474b@globo.com> temporarily rejected RCPT <aida@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow aida@ribeiro in "aida@ribeiro@satcompany.com.br"
2004-12-28 14:57:57 H=(adsl-68-252-254-67.dsl.chcgil.ameritech.net) [68.252.254.67] F=<R4667474b@globo.com> temporarily rejected RCPT <mofer@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow mofer@ribeiro in "mofer@ribeiro@satcompany.com.br"
2004-12-28 14:57:58 H=(adsl-68-252-254-67.dsl.chcgil.ameritech.net) [68.252.254.67] F=<R4667474b@globo.com> temporarily rejected RCPT <riva@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow riva@ribeiro in "riva@ribeiro@satcompany.com.br"
2004-12-28 14:57:58 H=(adsl-68-252-254-67.dsl.chcgil.ameritech.net) [68.252.254.67] F=<R4667474b@globo.com> temporarily rejected RCPT <estevao@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow estevao@ribeiro in "estevao@ribeiro@satcompany.com.br"
2004-12-28 14:57:58 H=(adsl-68-252-254-67.dsl.chcgil.ameritech.net) [68.252.254.67] F=<R4667474b@globo.com> temporarily rejected RCPT <josival@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow josival@ribeiro in "josival@ribeiro@satcompany.com.br"

The domain satcompany.com.br exist in this server, but not these satcompany.com.br´s users.

This is a SPAMMER atack ?
I am block the ip 68.252.254.67, but the atack return with other and other and other ips....

**Alexandre Duran** · 12-28-2004 01:09 PM

More:

2004-12-28 15:08:45 H=(cm-vtr-133-145.cm.vtr.net) [200.120.133.145] F=<O240562y@globo.com> temporarily rejected RCPT <mcintra@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow mcintra@ribeiro in "mcintra@ribeiro@satcompany.com.br"
2004-12-28 15:08:45 H=(cm-vtr-133-145.cm.vtr.net) [200.120.133.145] F=<O240562y@globo.com> temporarily rejected RCPT <marilza@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow marilza@ribeiro in "marilza@ribeiro@satcompany.com.br"
2004-12-28 15:08:46 H=(cm-vtr-133-145.cm.vtr.net) [200.120.133.145] F=<O240562y@globo.com> temporarily rejected RCPT <ozzy@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow ozzy@ribeiro in "ozzy@ribeiro@satcompany.com.br"
2004-12-28 15:08:46 H=(cm-vtr-133-145.cm.vtr.net) [200.120.133.145] F=<O240562y@globo.com> temporarily rejected RCPT <manfred@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow manfred@ribeiro in "manfred@ribeiro@satcompany.com.br"
2004-12-28 15:08:47 H=(cm-vtr-133-145.cm.vtr.net) [200.120.133.145] F=<O240562y@globo.com> temporarily rejected RCPT <carlos.rocha@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow carlos.rocha@ribeiro in "carlos.rocha@ribeiro@satcompany.com.br"
2004-12-28 15:08:47 H=(cm-vtr-133-145.cm.vtr.net) [200.120.133.145] F=<O240562y@globo.com> temporarily rejected RCPT <politica@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow politica@ribeiro in "politica@ribeiro@satcompany.com.br"
2004-12-28 15:08:47 H=(cm-vtr-133-145.cm.vtr.net) [200.120.133.145] F=<O240562y@globo.com> temporarily rejected RCPT <hpedro@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow hpedro@ribeiro in "hpedro@ribeiro@satcompany.com.br"
2004-12-28 15:08:48 H=(cm-vtr-133-145.cm.vtr.net) [200.120.133.145] F=<O240562y@globo.com> temporarily rejected RCPT <mercedes@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow mercedes@ribeiro in "mercedes@ribeiro@satcompany.com.br"
2004-12-28 15:08:52 H=(cm-vtr-133-145.cm.vtr.net) [200.120.133.145] F=<B714158p@bol.com.br> temporarily rejected RCPT <fborges@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow fborges@ribeiro in "fborges@ribeiro@satcompany.com.br"
2004-12-28 15:08:53 H=(cm-vtr-133-145.cm.vtr.net) [200.120.133.145] F=<B714158p@bol.com.br> temporarily rejected RCPT <sabreu@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow sabreu@ribeiro in "sabreu@ribeiro@satcompany.com.br"

This is all over the time.

**chirpy** · 12-28-2004 01:14 PM

It's almost certainly spam. The problem is that they're sending emails to you with invalid (non RFC compliant) addressees and exim is baulking (as it should). I'd be surprised if this would cause your server to go down, unless the load on exim is extremely high.

First, I'd recommend installing a dictionary attack ACL, such as:
http://www.webumake.com/free/eximdeny.htm

If that doesn't help, then you might need to start looking at the various exim rate limiting parameters to slow down incoming traffic, though these could impact your other domains.

**Alexandre Duran** · 12-28-2004 02:23 PM

Originally Posted by chirpy

It's almost certainly spam. The problem is that they're sending emails to you with invalid (non RFC compliant) addressees and exim is baulking (as it should). I'd be surprised if this would cause your server to go down, unless the load on exim is extremely high.

First, I'd recommend installing a dictionary attack ACL, such as:
http://www.webumake.com/free/eximdeny.htm

If that doesn't help, then you might need to start looking at the various exim rate limiting parameters to slow down incoming traffic, though these could impact your other domains.

Thanks a lot Chirpy !

Happy New Year !

**Alexandre Duran** · 12-28-2004 02:48 PM

Originally Posted by chirpy

It's almost certainly spam. The problem is that they're sending emails to you with invalid (non RFC compliant) addressees and exim is baulking (as it should). I'd be surprised if this would cause your server to go down, unless the load on exim is extremely high.

First, I'd recommend installing a dictionary attack ACL, such as:
http://www.webumake.com/free/eximdeny.htm

If that doesn't help, then you might need to start looking at the various exim rate limiting parameters to slow down incoming traffic, though these could impact your other domains.

Nope.. Dont work.
I have made something wrong ?

#!!# ACL that is used after the RCPT command
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :

drop hosts = /etc/exim_deny
message = Connection denied after dictionary attack
log_message = Connection denied from $sender_host_address after dictionary attack

drop message = Appears to be a dictionary attack
log_message = Dictionary attack (after $rcpt_fail_count failures)
condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
!verify = recipient
#if it gets here it isn't mailman

#sender verifications are required for all messages that are not sent to lists

require verify = sender
accept domains = +local_domains
endpass

#recipient verifications are required for all messages that are not sent to the local machine
#this was done at multiple users requests

message = "The recipient cannot be verified. Please check all recipients of this message to verify they are valid."
verify = recipient

accept domains = +relay_domains

warn message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
hosts = +relay_hosts
accept hosts = +relay_hosts

warn message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
condition = ${perl{checkrelayhost}{$sender_host_address}}
accept condition = ${perl{checkrelayhost}{$sender_host_address}}

accept hosts = +auth_relay_hosts
endpass
message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication turned on in your email client.
authenticated = *

deny message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication turned on in your email client.

#!!# ACL that is used after the DATA command
check_message:
require verify = header_sender
accept

**Alexandre Duran** · 12-28-2004 02:55 PM

Sorry, i found the error.
It is ok right now.

**chirpy** · 12-28-2004 05:46 PM

Great! Is it actually helping with the problem? I was unsure whether it would in your circumstances or not.

LinkBack

Thread Tools

This Is A Spammer Atack ?

A BIG SPAMMER ATACK - help

Especific HTTP Atack - how to stop it?

New Kind of Mail Atack? My load goes to 300 tonight

Server used by atack

Spammer