[OT] HELP!!! mail attack

Rodolfo Alcazar Portillo rodolfo.alcazar at padep.org.bo
Wed Mar 26 11:23:49 UTC 2008 

Hello. Since monday, our mailserver (FC5), behind a firewall, is
suffering a heavy DoS mail attack. We have a user account,
amanda.davila at padep.org.bo and it is receiving millions of emails from
very different sites of the planet. Since now, my only action was
deleting the account from /etc/password, and the traffic permits
working. We suspect a virus attack...

What else can we do? We would appreciate any help with this issue. Here,
a 20 seconds log by 07:15 GMT-4 (too early, many pcs off).

# tethereal |grep RCPT

  0.030421 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
  0.084245 193.195.46.98 -> 192.168.1.15 SMTP Command: RCPT To:<amanda.davila at padep.org.bo>
  0.813207 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
  1.196831 221.246.173.133 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
  1.214975 221.246.173.133 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
  1.330348 203.162.4.185 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
  1.633672 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
  1.999373 64.22.97.151 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
  2.674852 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
  2.783758 212.241.250.110 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
  3.420356 71.86.28.162 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
  3.785264 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
  4.742188 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
  5.525666 81.80.63.187 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
  5.617303 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
  5.854842 71.86.28.162 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
  5.863718 70.103.68.218 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
  5.868905 70.103.68.218 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
  6.096777 59.124.4.190 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
  6.436249 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
  6.466815 66.249.92.172 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
  7.262385 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
  7.397907 71.86.28.162 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 10.592647 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 10.594863 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 10.646376 81.72.107.178 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 11.262748 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 11.383742 203.162.4.185 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 11.538739 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 11.568291 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 11.988369 203.190.60.202 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 12.501307 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 12.528634 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 12.807326 220.152.32.164 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 13.115271 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 13.453285 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 13.474763 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 14.099809 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 14.393268 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 14.429214 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 15.034781 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 15.053775 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 15.337869 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 15.378731 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 15.868339 189.32.131.187 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 16.258275 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 16.312235 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 16.633300 210.162.25.47 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 17.149183  210.147.8.9 -> 192.168.1.15 SMTP Command: RCPT To:<amanda.davila at padep.org.bo>
 17.225328 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 17.237639 189.32.131.187 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 17.272639 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 17.673762 84.12.48.115 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 17.698118 84.12.48.115 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 18.182747 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 18.206657 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 18.422710 141.156.107.252 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 18.433819 141.156.107.252 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 18.588780 189.32.131.187 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 18.810259 210.162.25.47 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 19.128838 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
 19.167259 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>

Here you can find a more detailed log:
http://www.padep.org.bo/log20080325/

Thanks, again...
----------------------------------------------
Rodolfo Alcazar - rodolfo.alcazar at padep.org.bo
otbits.blogspot.com / counter.li.org: #367962
----------------------------------------------
"Träume nicht dein Leben, lebe deinen Traum."
- Unbekannter Autor

More information about the users mailing list