Reputation: 134
possible attack on postfix server
I am afraid that my vps server is being attacked as the postfix logs have hundreds of lines with these messages:
May 24 10:50:32 ukvps postfix/smtpd[29971]: warning: hostname xep9.flink.uz does not resolve to address 91.234.218.9: Name or service not known
May 24 10:50:32 ukvps postfix/smtpd[29971]: connect from unknown[91.234.218.9]
May 24 10:50:33 ukvps postfix/smtpd[29971]: lost connection after UNKNOWN from unknown[91.234.218.9]
May 24 10:50:33 ukvps postfix/smtpd[29971]: disconnect from unknown[91.234.218.9]
May 24 10:53:53 ukvps postfix/anvil[29724]: statistics: max connection rate 77/60s for (smtp:91.234.218.9) at > May 24 10:48:31
May 24 10:53:53 ukvps postfix/anvil[29724]: statistics: max connection count 1 for (smtp:91.234.218.9) at > May 24 10:47:31
May 24 10:53:53 ukvps postfix/anvil[29724]: statistics: max cache size 1 at May 24 10:47:31
May 26 10:51:56 ukvps postfix/smtpd[13694]: warning: hostname myco-bio.com does not resolve to address 112.72.13.230
May 26 10:51:56 ukvps postfix/smtpd[13694]: connect from unknown[112.72.13.230]
May 26 10:51:57 ukvps postfix/smtpd[13694]: lost connection after UNKNOWN from unknown[112.72.13.230]
May 26 10:51:57 ukvps postfix/smtpd[13694]: disconnect from unknown[112.72.13.230]
May 26 10:52:19 ukvps postfix/smtpd[13694]: warning: hostname myco-bio.com does not resolve to address 112.72.13.230
May 26 10:52:19 ukvps postfix/smtpd[13694]: connect from unknown[112.72.13.230]
May 26 10:52:20 ukvps postfix/anvil[12258]: statistics: max connection rate 8/60s for (smtp:112.72.13.230) at May 26 10:42:43
May 26 10:52:20 ukvps postfix/anvil[12258]: statistics: max connection count 1 for (smtp:112.72.13.230) at May 26 10:42:21
May 26 10:52:20 ukvps postfix/anvil[12258]: statistics: max cache size 1 at May 26 10:46:06
ii postfix 2.9.6-2 amd64 High-performance mail transport agent
Also some customers are replying to us with spam complaints from users that dont exist on our domain.
Any help is appreciated, thanks.
Upvotes: 0
Views: 1191
Answers (1)
Reputation: 6860
That looks like some portscan or other scanning attemps. They connect, issue some invalid commands and then disconnect. They don't try to send any emails, as in that case you would see in the postfix log info about either accepting those emails or rejecting them.
Regarding the second issue, you are probably victim of backscatter spam. Some spammer is using your domains names to send out spam. They use your email address like [email protected] to send spam from botnet or anywhere. When that mail is undeliverable, your users would receive that bounce message. This is worse when they have catch-all address defined (*@domain.com gets delivered into some mailbox). There is nothing you can do about it as it is completely out of control of your server or your domain. You can little help by having strict SPF records, but it doesn't help much.
Upvotes: 1
Related Questions
- Postfix Server - How do I block an IP thats is constantly trying to connect
- Postfix mail transport unavailable only in queue
- Postfix Log: non-SMTP command from unknown IP address, "GET /aaa9 HTTP/1.1"
- What human-edited file did I put a bad address into, for Postfix?
- Identifying the source of an SMTP process
- Mail server user mail rules
- Postfix/Dovecot - Mail not delivered
- Debian postfix mail server
- Postfix mail send issue?
- Mail server postfix mail considered junk