Results 1 to 5 of 5
  1. #1
    Join Date
    Aug 2002
    Location
    Davis, CA
    Posts
    168

    spammer wasting my bandwidth

    I've had a colo'd server with ServerMatrix/ThePlanet (for personal and friend's sites) for about 9 months now without problem.. Today I went checking in orbit, their backend thing to see my bandwidth usage.. I was surprised to see about 1.5mbit/s sustained usage.. Investigating further, I found an IP, 65.218.31.194 had tons of SMTP connections open to my system..

    Qmail is the mail server I run (primarily because it was easy to setup) and I know that it's not an open relay (at least the configuration isn't, and any online open relay test I could find said it isn't). Anyways, looking at my logs, it looks like that system was constantly trying to send messages through my system.. It seems that qmail was accepting the messages but obviously not delivering them. Anyways, I blocked that ip and all's well now, but I'm wondering if any of you have had this happen?

    I put in a script to alert me of huge bandwidth spikes like that, but it freaked me out thinking what the overage would cost me if I didn't notice it until later. Anyone else seen something like that? Anyone know what "Flexible Technologies" is? I'm assuming it's a spammer, but I don't know for sure.

  2. #2
    Unfortunately it is a common problem these days with any mail system that is configured for "catch-all" accounts. One solution is to install the Qmail chkuser patch which will check Vpopmail first to see if the account exists before accepting the mail for delivery.

    A good spot to stop by for advice/tutorials on the chkuser patch is:
    http://www.shupp.org, Bill does a great job with the Qmail toaster he has running over there and runs a very good mailing list.

    Hope this helps,

    Peter
    The Maag Group - Intelligent IT Solutions
    Colocation Dedicated Servers Server Administration
    www.maaggroup.com 877.622.4477

  3. #3
    Join Date
    Jan 2004
    Location
    Greece
    Posts
    2,123
    Also, install iptables and block 65.218.31.194.

  4. #4
    Join Date
    Aug 2002
    Location
    Davis, CA
    Posts
    168
    e12pilot, thanks for that info about the patch..

    CretaForce, that's exactly what I did.. thanks both of you.

  5. #5
    Using a firewall (such as iptables) is the best solution... good configs will detect heavy usage if you hook snort up to it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •