[CentOS] pop3 attack

Wed Dec 10 17:02:22 UTC 2008
John Hinton <webmaster at ew3d.com>

James Pifer wrote:
> On Tue, 2008-12-09 at 16:26 -0500, James Pifer wrote:
>   
>> Thanks to all. For now I've stopped it using iptables. I tried stopping
>> it at my router without success, yet another reason to replace it! I
>> will also report it to abuse at covad.net. 
>>
>>     
>
> My issues have gotten worse. Apparently over the last few days my ip
> address has gotten blacklisted. No idea why. Even though I have a
> commercial class cable modem service, my ip is residential because it
> comes to my house. But I've been running my mail server for several
> years and never had an issue. 
>
> I've tried adding these lines to my sendmailmc and rebuilding it, but
> then nothing routes, not even local. 
>
> define(`SMART_HOST',`smtp-server.carolina.rr.com')dnl
> MASQUERADE_AS(carolina.rr.com)dnl
> FEATURE(`allmasquerade')dnl
> FEATURE(`masquerade_envelope')dnl
>
> Now I'm using mailertable and that appears to be working. 
>
> I'm not even sure this message with get to this list. Seems like I
> haven't received any centos list mail in a while. I have on my other
> lists though.
>
> Any help is appreciated. 
>
> Thanks,
> James
>   
James,

Are you using bounce instead of reject anywhere on the system? If so, 
they can bounce their spam to anyone off of your server... also a common 
tactic. Also, things like mailforms on the server with autoresponders 
can also be a source of abuse. If they autorespond with the message 
input included, it's just a matter of using the email address you want 
to spam in that form. If the form doesn't have some good checks and 
balances, like Captcha, it's wide open for abuse by bots. Even captcha 
needs to be tough as they are using OCR to bust through easy to read 
captcha images.

If you are being blacklisted, email is almost certainly coming out of 
your server which contains spam. Depending on the lists, it could be 
spewing a lot.

You may wish to have postmaster and abuse addresses open on that system 
and actually look at them... These are RFCs that should be followed 
anyway... as to whether or not you read them...... But I do watch the 
postmaster email for 'quantity changes'. If it rises suddenly, somebody 
is playing.

Good luck,
John Hinton