Spammers?

Good day all..

I'm encountering some rather annoying problems with my mail server.

It appears as though someone is trying rather desperately to relay through my mail server, and using multiple boxes from all over the place to do it. They are all directed at pacbell.net and they're all from the commonly faked mail from:'s (ie: hotmail, mindspring, earthlink)

Logs:

Feb 25 07:12:02 goober postfix/smtpd[31398]: reject: RCPT from unknown[62.117.66.182]: 554 <idapaul@pacbell.net>: Recipient address rejected: Relay access denied; from=<t1p2dj10x@earthlink.net> to=<idapaul@pacbell.net>
Feb 25 07:12:08 goober postfix/smtpd[31398]: reject: RCPT from unknown[62.117.66.182]: 554 <idar@pacbell.net>: Recipient address rejected: Relay access denied; from=<t1p2dj10x@earthlink.net> to=<idar@pacbell.net> Feb 25 07:12:13 goober postfix/smtpd[31398]: reject: RCPT from unknown[62.117.66.182]: 554 <idbyebye@pacbell.net>: Recipient address rejected: Relay access denied; from=<t1p2dj10x@earthlink.net> to=<idbyebye@pacbell.net>
Feb 25 07:12:19 goober postfix/smtpd[31398]: reject: RCPT from unknown[62.117.66.182]: 554 <idc@pacbell.net>: Recipient address rejected: Relay access denied; from=<t1p2dj10x@earthlink.net> to=<idc@pacbell.net>
--

Feb 25 07:10:37 goober postfix/smtpd[31398]: reject: RCPT from kamosbs.kamocci.or.jp[157.120.128.130]: 554 <gortons@pacbell.net>: Recipient address rejected: Relay access denied; from=<r275rmd0b@mindspring.com> to=<gortons@pacbell.net>
Feb 25 07:10:43 goober postfix/smtpd[31398]: reject: RCPT from kamosbs.kamocci.or.jp[157.120.128.130]: 554 <gos2@pacbell.net>: Recipient address rejected: Relay access denied; from=<r275rmd0b@mindspring.com> to=<gos2@pacbell.net>
Feb 25 07:10:48 goober postfix/smtpd[31398]: reject: RCPT from kamosbs.kamocci.or.jp[157.120.128.130]: 554 <gosaints@pacbell.net>: Recipient address rejected: Relay access denied; from=<r275rmd0b@mindspring.com> to=<gosaints@pacbell.net> Feb 25 07:10:54 goober postfix/smtpd[31398]: reject: RCPT from kamosbs.kamocci.or.jp[157.120.128.130]: 554 <gosenior@pacbell.net>: Recipient address rejected: Relay access denied; from=<r275rmd0b@mindspring.com> to=<gosenior@pacbell.net>
--

Feb 25 07:12:25 goober postfix/smtpd[31398]: reject: RCPT from ppp-63-205-146-45.calvarycc.org[63.205.146.45]: 554 <jgerardi@pacbell.net>: Recipient address rejected: Relay access denied; from=<wf97vp1tl4@hotmail.com> to=<jgerardi@pacbell.net> Feb 25 07:12:30 goober postfix/smtpd[31398]: reject: RCPT from ppp-63-205-146-45.calvarycc.org[63.205.146.45]: 554 <jgerfen@pacbell.net>: Recipient address rejected: Relay access denied; from=<wf97vp1tl4@hotmail.com> to=<jgerfen@pacbell.net> Feb 25 07:12:35 goober postfix/smtpd[31398]: reject: RCPT from ppp-63-205-146-45.calvarycc.org[63.205.146.45]: 554 <jgerke@pacbell.net>: Recipient address rejected: Relay access denied; from=<wf97vp1tl4@hotmail.com> to=<jgerke@pacbell.net>
--

And so on.. They seem pretty determined to relay, I dunno why, it ain't gonna happen. This seems to happen once a month or so, obviously from a variety of addresses. It almost looks suspiciously like these various machines have either been hacked or they're hiring out their bandwidth to a spammer.

Any suggestions for tracking this down or should I just ignore it? It's not a real drain on my bandwidth or server capacity, the frequency isn't bothersome, just the log entries get annoying after awhile. It doesn't help matters by having all the sources be out of the US, it makes it more difficult to track down.

Thanks folks..

• Christopher Wagner chrisw@pacaids.com

Packaging Aids Corporation - Information Systems P.O. Box 9144
San Rafael, CA 94912-9144
http://www.pacaids.com/
(415) 454-4868 x116  

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

<Pre>Lose another weekend managing your IDS? Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A> Received on Tue Mar 4 10:51:06 2003