Radio_Head

Well-Known Member
Verifed Vendor
Feb 15, 2002
2,051
1
343
I have a client , I'll call him myclientdomain.org, which is under email attack . The attack is also overloading the server .

The attack is coming from different ip address (thousand of proxy ips).
The attack also if seems to be a dictionary attack is NOT detected using the antidictionary
script provided By Chirpy . As it seems they are attempts to relay email ?

The log shows line like these

2006-11-07 07:14:53 H=yipfw1.joho-yamaguchi.or.jp (mail1) [210.225.240.91] F=<> rejected RCPT <[email protected]>: yipfw1.joho-yamaguchi.or.jp (mail1) [210.225.240.91] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2006-11-07 07:14:55 H=mercury.alienwebshop.com [67.91.233.6] F=<> rejected RCPT <[email protected]>: mercury.alienwebshop.com [67.91.233.6]
is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2006-11-07 07:14:56 H=blu.primehs.net [211.125.95.164] F=<> rejected RCPT <[email protected]>: blu.primehs.net [211.125.95.164] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2006-11-07 07:14:57 H=mxdrop25.xs4all.nl [194.109.24.83] F=<> rejected RCPT <[email protected]>: mxdrop25.xs4all.nl [194.109.24.83] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.


How to stop this attack ?