[wplug] Since we're talking iptables...
Bill Moran
wmoran at potentialtech.com
Wed Mar 3 22:56:23 EST 2004
Brandon Kuczenski wrote:
> I just checked my root mailbox (probably should get that Logwatch stuff
> forwarded) and found a veritable cow's ass full of Postmaster
> notifications for rejected forwarding of mail.
>
> I am running a relay/Backup-MX for a friend of mine, and all of these
> emails were directed to nonexistent users in his various domains.
>
> I created a new IP Table to DROP smtp requests from the four IP
> addresses that accounted for probably 85% of the emails; but I was
> wondering if there was a 'more right' way to do that.
I don't know if there's a right or wrong here, but I do the same when
I notice particular IPs that are repeatedly. I guess there's some sort
of goof where some mailserver has a "webmaster" account with no password,
since I often see somone trying to use a username=webmaster, blank
password to use my SMTP AUTH for relaying. I generally put a firewall
rule in when I see that kind of activity as well.
> Also, does this indicate some kind of relaying hole in my configuration?
Doesn't seem like it. If you have a hole, you'll know it because you'll
get accused of spamming and it'll be a big surprise to you.
> I was led to believe that, since mail relays have to be public knowledge
> (so that mailers can route mail to the alternate MX) there's nothing you
> can do about it. But I could be misinformed.
Not much. You can block known abusers.
> P.S. the IP addresses were:
> 203.45.211.47
> 203.45.213.190
> 203.45.212.37
Yeah, bigpond has been a problem for me as well.
> 65.103.49.34
qwest.net also has a lot of clients that they let get away with murder.
--
Bill Moran
Potential Technologies
http://www.potentialtech.com
More information about the wplug
mailing list