Email Server Attack??

Anonymous · Post by **Anonymous** » Fri Jan 30, 2004 11:42 pm

I have been seeing some wierd entries in my /var/log/maillog. It's been going on constantly for almost a week. I suspect harrassment. That someone is making an "attack" on my mail server. Or it could be something as simple as I misconfigured my server.

What will happen is the emails appear to some from one IP. I will then put the IP in my /etc/mail/access file with a REJECT tag and then, after a few attempts, the UNKNOWN USER emails will start from a new and totally unrelated IP. And so on and so on.

Any clue as to exactly what this is would be most appreciated.

My system is Fedora Core 1 and I am using Sendmail with Spamassassin.

Here are the relevant log entries:

Jan 30 21:56:29 pln sendmail[13265]: i0V2uQuE013265: <steve@pln.cc>... User unknown
Jan 30 21:56:31 pln sendmail[13265]: i0V2uQuE013265: lost input channel from vsat-148-63-176-3.c189.t7.mrt.starband.net [148.63.176.3] to MTA after rcpt
Jan 30 21:56:31 pln sendmail[13265]: i0V2uQuE013265: from=<peter@netnitco.net>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=vsat-148-63-176-3.c189.t7.mrt.starband.net [148.63.176.3]
Jan 30 21:56:57 pln sendmail[13266]: i0V2upuE013266: <steve@pln.cc>... User unknown
Jan 30 21:56:59 pln sendmail[13266]: i0V2upuE013266: lost input channel from vsat-148-63-176-3.c189.t7.mrt.starband.net [148.63.176.3] to MTA after rcpt
Jan 30 21:56:59 pln sendmail[13266]: i0V2upuE013266: from=<peter@netnitco.net>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=vsat-148-63-176-3.c189.t7.mrt.starband.net [148.63.176.3]
Jan 30 21:57:46 pln sendmail[13269]: i0V2vQuE013269: <steve@pln.cc>... User unknown
Jan 30 21:57:50 pln sendmail[13269]: i0V2vQuE013269: lost input channel from vsat-148-63-176-3.c189.t7.mrt.starband.net [148.63.176.3] to MTA after rcpt

Jan 30 22:48:46 pln sendmail[13461]: i0V3mjuE013461: <jim@pln.cc>... User unknown
Jan 30 22:48:46 pln sendmail[13461]: i0V3mjuE013461: lost input channel from dt153nbd.tampabay.rr.com [24.92.199.189] to MTA after rcpt
Jan 30 22:48:46 pln sendmail[13461]: i0V3mjuE013461: from=<sales@studiotec.fi>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=dt153nbd.tampabay.rr.com [24.92.199.189]
Jan 30 22:49:08 pln sendmail[13462]: i0V3n7uE013462: <jim@pln.cc>... User unknown
Jan 30 22:49:08 pln sendmail[13462]: i0V3n7uE013462: lost input channel from dt153nbd.tampabay.rr.com [24.92.199.189] to MTA after rcpt
Jan 30 22:49:08 pln sendmail[13462]: i0V3n7uE013462: from=<sales@studiotec.fi>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=dt153nbd.tampabay.rr.com [24.92.199.189]
Jan 30 23:02:35 pln sendmail[13527]: i0V42ZuE013527: <maria@pln.cc>... User unknown
Jan 30 23:02:35 pln sendmail[13527]: i0V42ZuE013527: from=<>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=whsecure2.net [66.250.218.13]
Jan 30 23:11:26 pln sendmail[13555]: i0V4BPuE013555: <matt@pln.cc>... User unknown
Jan 30 23:11:26 pln sendmail[13555]: i0V4BPuE013555: from=<>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=ms-smtp-04-smtplb.tampabay.rr.com [65.32.5.134]
Jan 30 23:13:31 pln sendmail[13559]: i0V4DSuE013559: <david@pln.cc>... User unknown
Jan 30 23:13:37 pln sendmail[13559]: i0V4DSuE013559: lost input channel from vsat-148-63-176-3.c189.t7.mrt.starband.net [148.63.176.3] to MTA after rcpt
Jan 30 23:13:37 pln sendmail[13559]: i0V4DSuE013559: from=<leo@freemail.hu>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=vsat-148-63-176-3.c189.t7.mrt.starband.net [148.63.176.3]
Jan 30 23:14:01 pln sendmail[13562]: i0V4DxuE013562: <david@pln.cc>... User unknown
Jan 30 23:14:02 pln sendmail[13562]: i0V4DxuE013562: lost input channel from vsat-148-63-176-3.c189.t7.mrt.starband.net [148.63.176.3] to MTA after rcpt
Jan 30 23:14:02 pln sendmail[13562]: i0V4DxuE013562: from=<leo@freemail.hu>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=vsat-148-63-176-3.c189.t7.mrt.starband.net [148.63.176.3]

Archived topic from Iceteks, old topic ID:1986, old post ID:16279

Red Squirrel · Post by **Red Squirrel** » Fri Jan 30, 2004 11:52 pm

Hmmm, does not really look that suspicious, but I don't know that software either so it's hard to tell. But by looking at the time stamps, I don't think it's spam, unless it's being done slowly, which usually is not the case durring attacks. It could be another type of attack, but that I'm not sure either. Best thing to do is block the IP/email and go from there.

Archived topic from Iceteks, old topic ID:1986, old post ID:16282

Red Squirrel · Post by **Red Squirrel** » Fri Jan 30, 2004 11:53 pm

Oh, and welcome to the forums.

Archived topic from Iceteks, old topic ID:1986, old post ID:16283

brandon · Post by **brandon** » Fri Jan 30, 2004 11:54 pm

DoS maybe????

But then again, the attacks seem to infrequent.

Archived topic from Iceteks, old topic ID:1986, old post ID:16284

Anonymous · Post by **Anonymous** » Sat Jan 31, 2004 1:03 am

Red Squirrel wrote: Hmmm, does not really look that suspicious, but I don't know that software either so it's hard to tell. But by looking at the time stamps, I don't think it's spam, unless it's being done slowly, which usually is not the case durring attacks. It could be another type of attack, but that I'm not sure either. Best thing to do is block the IP/email and go from there.

Thanx for the response.

I was thinking it might be some attempt to slow down my server or something.

It's probably more for annoyance sake then anything else. I wouldn't have even noticed it if I wasn't such a LOG/CONTROL freak..

In any case, thanks again. I just wanted to make sure it wasn't something serious or a prelude to something serious.

As Mr Spock would say, "A difference which makes no difference, IS no difference."

Archived topic from Iceteks, old topic ID:1986, old post ID:16296

Anonymous · Post by **Anonymous** » Sat Jan 31, 2004 1:04 am

Red Squirrel wrote: Oh, and welcome to the forums.

Thanx

Pretty impressive.

Archived topic from Iceteks, old topic ID:1986, old post ID:16297

Red Squirrel · Post by **Red Squirrel** » Sat Jan 31, 2004 9:39 am

Glad you like it. check out the cybervillage area, we have some neat toys there. You can't buy much yet but save up.

Archived topic from Iceteks, old topic ID:1986, old post ID:16301

ladytech · Post by **ladytech** » Sat Jan 31, 2004 6:34 pm

From the log and the timing plus the recent 'mydoom' virus. I would say your server like all the others in the world right now is receiving email from the 'mydoom' virus. This virus can spoof an address which is why the 'unknown user' It will probably continue until the virus is under control. My email servers have been experiencing the same problems for about the same time period as you mention. Try not to block the IP's though. If the email is going to your server that means the virus got the domain address from someone who has you or one of your users in their address book. You may find out you have complaints later from people who can no longer email you or your users.

Make sure you virus protection for your email server is up to date. I wouldn't worry too much about DDS right now. This virus is aiming for SCO and Microsoft.

you may want to warn people you email frequently though that one of them probably has the virus.

Archived topic from Iceteks, old topic ID:1986, old post ID:16313