verdächtige Einträge in mail.log

rolapp · Aug 2, 2014

Beim durchsehen der mail.log ist mir aufgefallen, das immer wieder der selbe Eintrag aber mit unterschiedlichen IPs auftaucht. Das waren gestern 46 Einträge.

Code:

Aug  1 00:09:25 color postfix/smtpd[20416]: NOQUEUE: reject: RCPT from 12.19.14.37.dynamic.jazztel.es[37.14.19.12]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 00:27:39 color postfix/smtpd[20824]: NOQUEUE: reject: RCPT from host218-63-static.40-85-b.business.telecomitalia.it[85.40.63.218]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 00:46:01 color postfix/smtpd[21359]: NOQUEUE: reject: RCPT from 12.19.14.37.dynamic.jazztel.es[37.14.19.12]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 01:41:48 color postfix/smtpd[22663]: NOQUEUE: reject: RCPT from h114.63.135.216.ip.windstream.net[216.135.63.114]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 02:57:09 color postfix/smtpd[24471]: NOQUEUE: reject: RCPT from unknown[190.187.22.140]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 04:13:07 color postfix/smtpd[26198]: NOQUEUE: reject: RCPT from unknown[212.75.134.12]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 04:51:13 color postfix/smtpd[27029]: NOQUEUE: reject: RCPT from 105-236-98-19.access.mtnbusiness.co.za[105.236.98.19]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 05:29:25 color postfix/smtpd[27876]: NOQUEUE: reject: RCPT from unknown[212.75.134.12]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 06:07:04 color postfix/smtpd[28798]: NOQUEUE: reject: RCPT from unknown[50.244.253.9]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 07:00:28 color postfix/smtpd[30168]: NOQUEUE: reject: RCPT from unknown[79.136.209.154]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 07:36:06 color postfix/smtpd[30996]: NOQUEUE: reject: RCPT from unknown[92.87.210.196]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 08:10:04 color postfix/smtpd[31823]: NOQUEUE: reject: RCPT from unknown[14.169.109.250]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 08:27:04 color postfix/smtpd[32241]: NOQUEUE: reject: RCPT from unknown[92.87.210.196]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 08:43:37 color postfix/smtpd[537]: NOQUEUE: reject: RCPT from unknown[50.244.253.9]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 09:00:33 color postfix/smtpd[983]: NOQUEUE: reject: RCPT from unknown[118.97.191.155]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 09:33:45 color postfix/smtpd[1921]: NOQUEUE: reject: RCPT from unknown[210.177.87.105]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 10:06:26 color postfix/smtpd[2834]: NOQUEUE: reject: RCPT from unknown[180.166.96.38]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 10:23:16 color postfix/smtpd[3399]: NOQUEUE: reject: RCPT from host34-208-static.98-5-b.business.telecomitalia.it[5.98.208.34]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 10:55:34 color postfix/smtpd[4187]: NOQUEUE: reject: RCPT from unknown[196.41.205.29]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 11:44:25 color postfix/smtpd[7672]: NOQUEUE: reject: RCPT from unknown[190.187.22.140]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 11:59:41 color postfix/smtpd[7938]: NOQUEUE: reject: RCPT from dug42.internetdsl.tpnet.pl[83.19.218.42]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 12:15:40 color postfix/smtpd[8792]: NOQUEUE: reject: RCPT from unknown[180.166.96.38]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 12:30:58 color postfix/smtpd[9140]: NOQUEUE: reject: RCPT from cm-85-152-57-61.telecable.es[85.152.57.61]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 12:47:00 color postfix/smtpd[9636]: NOQUEUE: reject: RCPT from pfn94.internetdsl.tpnet.pl[46.171.143.94]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 13:03:04 color postfix/smtpd[10027]: NOQUEUE: reject: RCPT from pfn94.internetdsl.tpnet.pl[46.171.143.94]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 14:07:10 color postfix/smtpd[11238]: NOQUEUE: reject: RCPT from unknown[223.30.78.91]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 14:23:06 color postfix/smtpd[12033]: NOQUEUE: reject: RCPT from unknown[210.177.87.105]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 15:59:50 color postfix/smtpd[14448]: NOQUEUE: reject: RCPT from adsl-074-165-019-209.sip.asm.bellsouth.net[74.165.19.209]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 16:16:46 color postfix/smtpd[14923]: NOQUEUE: reject: RCPT from unknown[200.80.106.38]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 16:33:52 color postfix/smtpd[15297]: NOQUEUE: reject: RCPT from unknown[190.187.22.140]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 16:50:34 color postfix/smtpd[15671]: NOQUEUE: reject: RCPT from 80.224.50.223.static.user.ono.com[80.224.50.223]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 17:22:53 color postfix/smtpd[16476]: NOQUEUE: reject: RCPT from ll62-2-210-251-62.ll62.iam.net.ma[62.251.210.2]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 17:38:33 color postfix/smtpd[16819]: NOQUEUE: reject: RCPT from cable-89-216-21-136.static.sbb.rs[89.216.21.136]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 18:09:47 color postfix/smtpd[17649]: NOQUEUE: reject: RCPT from unknown[200.80.106.38]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 18:25:30 color postfix/smtpd[18013]: NOQUEUE: reject: RCPT from unknown[213.55.73.129]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 19:13:32 color postfix/smtpd[19079]: NOQUEUE: reject: RCPT from unknown[14.169.109.250]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 19:29:36 color postfix/smtpd[19424]: NOQUEUE: reject: RCPT from 12.19.14.37.dynamic.jazztel.es[37.14.19.12]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 19:46:05 color postfix/smtpd[19843]: NOQUEUE: reject: RCPT from 105-236-255-125.access.mtnbusiness.co.za[105.236.255.125]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 20:02:13 color postfix/smtpd[20253]: NOQUEUE: reject: RCPT from 12.19.14.37.dynamic.jazztel.es[37.14.19.12]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 20:34:42 color postfix/smtpd[21035]: NOQUEUE: reject: RCPT from unknown[186.215.174.252]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 21:07:02 color postfix/smtpd[21792]: NOQUEUE: reject: RCPT from unknown[194.75.77.138]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 21:39:47 color postfix/smtpd[22527]: NOQUEUE: reject: RCPT from unknown[186.215.174.252]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 22:28:44 color postfix/smtpd[23836]: NOQUEUE: reject: RCPT from 12.19.14.37.dynamic.jazztel.es[37.14.19.12]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 23:01:55 color postfix/smtpd[13063]: NOQUEUE: reject: RCPT from ll62-2-210-251-62.ll62.iam.net.ma[62.251.210.2]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 23:18:04 color postfix/smtpd[13459]: NOQUEUE: reject: RCPT from h114.63.135.216.ip.windstream.net[216.135.63.114]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Aug  1 23:34:30 color postfix/smtpd[13828]: NOQUEUE: reject: RCPT from rexhel.lnk.telstra.net[203.45.163.105]: 454 4.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>

Weiß jemand von Euch was das zu bedeuten hat, merkt hier jemand nicht das mein Server kein Open-Relay ist. Das sieht ja schon nach einem Bot-Netz aus, welches da sucht.

d3p · Aug 2, 2014

rolapp said:
Weiß jemand von Euch was das zu bedeuten hat, merkt hier jemand nicht das mein Server kein Open-Relay ist. Das sieht ja schon nach einem Bot-Netz aus, welches da sucht.

Die versuchen es halt einfach.

Abhilfe schafft hier Fail2Ban.

rolapp · Aug 2, 2014

Das mit fail2ban ist eine Möglichkeit, da ist mir jetzt aber der Aufriss zu groß.
Außer das die Idioten mir meine log Datei zu müllen passiert ja nichts.

Deleted member 14422 · Aug 2, 2014

rolapp said:
Das mit fail2ban ist eine Möglichkeit, da ist mir jetzt aber der Aufriss zu groß.

fail2ban ist in 2 Minuten installiert und konfiguriert - und bei mir Standard. Aufriss?

rolapp · Aug 2, 2014

Code:

^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 454 4\.7\.1 .*$

Ich habe das jetzt mal in der /filter.d/postfix.conf ergänzt. mal schauen wann da was gebannt wird bei den vielen unterschiedlichen Ip's.
die jail.conf sieht so aus

Code:

[postfix]

enabled  = true
port     = smtp,ssmtp,submission
filter   = postfix
logpath  = /var/log/mail.log
bantime  = 604800  
findtime = 86400   
maxretry = 2

Aufriss war das natürlich nicht, der Postfix muß sich jetzt nicht mehr mit den blockierten IP's befassen. (ich hatte heute Vormittag keinen Bock )

Danke für den Tritt in den Ar...

Deleted member 14422 · Aug 3, 2014

rolapp said:
Danke für den Tritt in den Ar...

Nichts zu danken, ich kenne das Problem von mir...

verdächtige Einträge in mail.log

rolapp

Fan vom SSF

d3p

Member

rolapp

Fan vom SSF

Deleted member 14422

Guest

rolapp

Fan vom SSF

Deleted member 14422

Guest

We value your privacy