a lot of spam or something?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

a lot of spam or something?

Poliman - Serwis
I have a lot of line like below in log file:
2FEBF13C3F4 16366 Thu Nov 22 12:28:36 MAILER-DAEMON
(host in.hes.trendmicro.eu[52.58.62.239] said: 450 4.7.1 : Recipient address rejected: Ratelimit (in reply to RCPT TO command))
[hidden email]

251AD13C3C6 16391 Thu Nov 22 13:48:10 MAILER-DAEMON
(host in.hes.trendmicro.eu[52.29.207.245] said: 450 4.7.1 : Recipient address rejected: Ratelimit (in reply to RCPT TO command))
[hidden email]

2BC6013C3E3 16360 Thu Nov 22 10:58:11 MAILER-DAEMON
(host in.hes.trendmicro.eu[52.29.207.245] said: 450 4.7.1 : Recipient address rejected: Ratelimit (in reply to RCPT TO command))
[hidden email]

29DC513C3CF 15221 Thu Nov 22 13:16:13 MAILER-DAEMON
(host in.hes.trendmicro.eu[52.58.62.238] said: 450 4.7.1 : Recipient address rejected: Ratelimit (in reply to RCPT TO command))
[hidden email]

26D7313C3EA 17275 Thu Nov 22 16:29:11 MAILER-DAEMON
(host in.hes.trendmicro.eu[52.58.62.238] said: 450 4.7.1 : Recipient address rejected: Ratelimit (in reply to RCPT TO command))
[hidden email]

26E6913C3F9 14786 Thu Nov 22 13:30:05 MAILER-DAEMON
(host in.hes.trendmicro.eu[52.29.207.245] said: 450 4.7.1 : Recipient address rejected: Ratelimit (in reply to RCPT TO command))
[hidden email]

277F613C3FF 16806 Thu Nov 22 19:40:46 MAILER-DAEMON
(host in.hes.trendmicro.eu[52.58.62.238] said: 450 4.7.1 : Recipient address rejected: Ratelimit (in reply to RCPT TO command))
[hidden email]

24D5513D005 14865 Fri Nov 23 08:30:49 MAILER-DAEMON
(host in.hes.trendmicro.eu[52.58.62.238] said: 450 4.7.1 : Recipient address rejected: Ratelimit (in reply to RCPT TO command))
[hidden email]


How to approach to this?
--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: a lot of spam or something?

Poliman - Serwis
And there is also:
Nov 23 17:33:41 s1 postfix/smtp[27116]: 4922D13D4E9: to=<[hidden email]>, relay=none, delay=4619, delays=4619/0.02/0.1/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=allegro.pl type=MX: Host not found, try again)
Nov 23 17:33:41 s1 postfix/smtp[27117]: 7EE8F13E59D: to=<[hidden email]>, relay=none, delay=21340, delays=21340/0.03/0.09/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=allegro.pl type=MX: Host not found, try again)
Nov 23 17:33:41 s1 postfix/smtp[27118]: 7E4FB13C3DD: to=<[hidden email]>, relay=none, delay=84389, delays=84389/0.03/0.09/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=allegro.pl type=MX: Host not found, try again)
Nov 23 17:33:41 s1 postfix/smtp[27119]: 771A113C417: to=<[hidden email]>, relay=none, delay=71827, delays=71827/0.04/0.1/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=allegro.pl type=MX: Host not found, try again)

Is it possible to block this? I suppose that somebody pass of as allegro.pl domain (it's huge e-commerce).

pt., 23 lis 2018 o 17:33 Poliman - Serwis <[hidden email]> napisał(a):
I have a lot of line like below in log file:
2FEBF13C3F4 16366 Thu Nov 22 12:28:36 MAILER-DAEMON
(host in.hes.trendmicro.eu[52.58.62.239] said: 450 4.7.1 : Recipient address rejected: Ratelimit (in reply to RCPT TO command))
[hidden email]

251AD13C3C6 16391 Thu Nov 22 13:48:10 MAILER-DAEMON
(host in.hes.trendmicro.eu[52.29.207.245] said: 450 4.7.1 : Recipient address rejected: Ratelimit (in reply to RCPT TO command))
[hidden email]

2BC6013C3E3 16360 Thu Nov 22 10:58:11 MAILER-DAEMON
(host in.hes.trendmicro.eu[52.29.207.245] said: 450 4.7.1 : Recipient address rejected: Ratelimit (in reply to RCPT TO command))
[hidden email]

29DC513C3CF 15221 Thu Nov 22 13:16:13 MAILER-DAEMON
(host in.hes.trendmicro.eu[52.58.62.238] said: 450 4.7.1 : Recipient address rejected: Ratelimit (in reply to RCPT TO command))
[hidden email]

26D7313C3EA 17275 Thu Nov 22 16:29:11 MAILER-DAEMON
(host in.hes.trendmicro.eu[52.58.62.238] said: 450 4.7.1 : Recipient address rejected: Ratelimit (in reply to RCPT TO command))
[hidden email]

26E6913C3F9 14786 Thu Nov 22 13:30:05 MAILER-DAEMON
(host in.hes.trendmicro.eu[52.29.207.245] said: 450 4.7.1 : Recipient address rejected: Ratelimit (in reply to RCPT TO command))
[hidden email]

277F613C3FF 16806 Thu Nov 22 19:40:46 MAILER-DAEMON
(host in.hes.trendmicro.eu[52.58.62.238] said: 450 4.7.1 : Recipient address rejected: Ratelimit (in reply to RCPT TO command))
[hidden email]

24D5513D005 14865 Fri Nov 23 08:30:49 MAILER-DAEMON
(host in.hes.trendmicro.eu[52.58.62.238] said: 450 4.7.1 : Recipient address rejected: Ratelimit (in reply to RCPT TO command))
[hidden email]


How to approach to this?
--
Pozdrawiam / Best Regards
Piotr Bracha


--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: a lot of spam or something?

Matus UHLAR - fantomas
In reply to this post by Poliman - Serwis
On 23.11.18 17:33, Poliman - Serwis wrote:
>I have a lot of line like below in log file:
>2FEBF13C3F4 16366 Thu Nov 22 12:28:36 MAILER-DAEMON
>(host in.hes.trendmicro.eu[52.58.62.239] said: 450 4.7.1 : Recipient
>address rejected: Ratelimit (in reply to RCPT TO command))
>[hidden email]

you are sending too much mail to [hidden email] and they refuse it.

It's send from MAILER-DAEMON which means someone send mail from [hidden email]
to you. search for such mail.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I drive way too fast to worry about cholesterol.
Reply | Threaded
Open this post in threaded view
|

Re: a lot of spam or something?

Poliman - Serwis


pt., 23 lis 2018 o 22:16 Matus UHLAR - fantomas <[hidden email]> napisał(a):
On 23.11.18 17:33, Poliman - Serwis wrote:
>I have a lot of line like below in log file:
>2FEBF13C3F4 16366 Thu Nov 22 12:28:36 MAILER-DAEMON
>(host in.hes.trendmicro.eu[52.58.62.239] said: 450 4.7.1 : Recipient
>address rejected: Ratelimit (in reply to RCPT TO command))
>[hidden email]

you are sending too much mail to [hidden email] and they refuse it.

It's send from MAILER-DAEMON which means someone send mail from [hidden email]
to you. search for such mail.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I drive way too fast to worry about cholesterol.
Thank you for answer but I honestly don't fully understand it. Does it mean that MAILER-DAEMON sends too much mails to [hidden email] and someone (automatically?) sends to me mails with 450 4.7.1 reject status from [hidden email]? Could you tell me what should I check to stop this sending? It's a mess. ;)

PS
Mailer-daemon is related with default on the server root@server_hostname "mail account"?
I have in mail.log only these lines, they appear repeatedly:
Nov 26 07:19:00 s1 postgrey[2030]: action=pass, reason=triplet found, client_name=smtpfarm15.allegro.pl, client_address=194.0.251.103, sender=[hidden email], recipient=[hidden email]
Nov 26 07:19:00 s1 postfix/qmgr[2371]: B5B7C13C3C2: from=<[hidden email]>, size=13135, nrcpt=1 (queue active)
Nov 26 07:19:01 s1 postfix/qmgr[2371]: 9560013C413: from=<[hidden email]>, size=13676, nrcpt=1 (queue active)
Nov 26 07:19:01 s1 amavis[21828]: (21828-11) Passed CLEAN {RelayedInbound}, [194.0.251.103]:40984 [194.0.251.103] <[hidden email]> -> <[hidden email]>, Queue-ID: B5B7C13C3C2, Message-ID: <[hidden email]>, mail_id: dxv-J2c3n1u9, Hits: 0.718, size: 13121, queued_as: 9560013C413, dkim_sd=dkim1024:allegro.pl, 775 ms
Nov 26 07:19:01 s1 postfix/pickup[19325]: A0ABC13CFC6: uid=5000 from=<[hidden email]>
Nov 26 07:19:01 s1 postfix/qmgr[2371]: A0ABC13CFC6: from=<[hidden email]>, size=13910, nrcpt=1 (queue active)
Nov 26 07:19:01 s1 postfix/qmgr[2371]: E25BA13C3C2: from=<[hidden email]>, size=14251, nrcpt=1 (queue active)
Nov 26 07:19:01 s1 amavis[20844]: (20844-15) Passed CLEAN {RelayedOutbound}, LOCAL [127.0.0.1] [194.0.251.103] <[hidden email]> -> <[hidden email]>, Message-ID: <[hidden email]>, mail_id: PrFsIhxDwQ_3, Hits: 0.719, size: 13896, queued_as: E25BA13C3C2, dkim_sd=dkim1024:allegro.pl, 281 ms
Nov 26 07:19:03 s1 postfix/smtp[24219]: 260C013CFC6: host in.hes.trendmicro.eu[52.28.255.96] said: 450 4.7.1 <[hidden email]>: Recipient address rejected: Ratelimit (in reply to RCPT TO command)
Nov 26 07:19:03 s1 postfix/smtp[24219]: 260C013CFC6: to=<[hidden email]>, relay=in.hes.trendmicro.eu[52.58.62.239]:25, delay=0.49, delays=0.01/0/0.44/0.03, dsn=4.7.1, status=deferred (host in.hes.trendmicro.eu[52.58.62.239] said: 450 4.7.1 <[hidden email]>: Recipient address rejected: Ratelimit (in reply to RCPT TO command))
Nov 26 07:23:42 s1 postfix/smtp[30244]: 5134B13C56C: host in.hes.trendmicro.eu[52.28.255.96] said: 450 4.7.1 <[hidden email]>: Recipient address rejected: Ratelimit (in reply to RCPT TO command)
Nov 26 07:23:42 s1 postfix/smtp[30247]: D412713D4F7: host in.hes.trendmicro.eu[52.58.62.239] said: 450 4.7.1 <[hidden email]>: Recipient address rejected: Ratelimit (in reply to RCPT TO command)
Nov 26 07:23:42 s1 postfix/smtp[30245]: 8238913D001: host in.hes.trendmicro.eu[52.29.207.245] said: 450 4.7.1 <[hidden email]>: Recipient address rejected: Ratelimit (in reply to RCPT TO command)
Nov 26 07:23:42 s1 postfix/smtp[30248]: 001B213E8A9: host in.hes.trendmicro.eu[52.29.207.245] said: 450 4.7.1 <[hidden email]>: Recipient address rejected: Ratelimit (in reply to RCPT TO command)
Nov 26 07:23:43 s1 postfix/smtp[30246]: 1766113E056: host in.hes.trendmicro.eu[52.58.62.239] said: 450 4.7.1 <[hidden email]>: Recipient address rejected: Ratelimit (in reply to RCPT TO command)
Nov 26 07:23:43 s1 postfix/smtp[30244]: 5134B13C56C: to=<[hidden email]>, relay=in.hes.trendmicro.eu[52.29.207.245]:25, delay=34077, delays=34076/0.05/0.53/0.03, dsn=4.7.1, status=deferred (host in.hes.trendmicro.eu[52.29.207.245] said: 450 4.7.1 <[hidden email]>: Recipient address rejected: Ratelimit (in reply to RCPT TO command))


--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: a lot of spam or something?

Poliman - Serwis


pon., 26 lis 2018 o 07:37 Poliman - Serwis <[hidden email]> napisał(a):


pt., 23 lis 2018 o 22:16 Matus UHLAR - fantomas <[hidden email]> napisał(a):
On 23.11.18 17:33, Poliman - Serwis wrote:
>I have a lot of line like below in log file:
>2FEBF13C3F4 16366 Thu Nov 22 12:28:36 MAILER-DAEMON
>(host in.hes.trendmicro.eu[52.58.62.239] said: 450 4.7.1 : Recipient
>address rejected: Ratelimit (in reply to RCPT TO command))
>[hidden email]

you are sending too much mail to [hidden email] and they refuse it.

It's send from MAILER-DAEMON which means someone send mail from [hidden email]
to you. search for such mail.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I drive way too fast to worry about cholesterol.
Thank you for answer but I honestly don't fully understand it. Does it mean that MAILER-DAEMON sends too much mails to [hidden email] and someone (automatically?) sends to me mails with 450 4.7.1 reject status from [hidden email]? Could you tell me what should I check to stop this sending? It's a mess. ;)

PS
Mailer-daemon is related with default on the server root@server_hostname "mail account"?
I have in mail.log only these lines, they appear repeatedly:
Nov 26 07:19:00 s1 postgrey[2030]: action=pass, reason=triplet found, client_name=smtpfarm15.allegro.pl, client_address=194.0.251.103, sender=[hidden email], recipient=[hidden email]
Nov 26 07:19:00 s1 postfix/qmgr[2371]: B5B7C13C3C2: from=<[hidden email]>, size=13135, nrcpt=1 (queue active)
Nov 26 07:19:01 s1 postfix/qmgr[2371]: 9560013C413: from=<[hidden email]>, size=13676, nrcpt=1 (queue active)
Nov 26 07:19:01 s1 amavis[21828]: (21828-11) Passed CLEAN {RelayedInbound}, [194.0.251.103]:40984 [194.0.251.103] <[hidden email]> -> <[hidden email]>, Queue-ID: B5B7C13C3C2, Message-ID: <[hidden email]>, mail_id: dxv-J2c3n1u9, Hits: 0.718, size: 13121, queued_as: 9560013C413, dkim_sd=dkim1024:allegro.pl, 775 ms
Nov 26 07:19:01 s1 postfix/pickup[19325]: A0ABC13CFC6: uid=5000 from=<[hidden email]>
Nov 26 07:19:01 s1 postfix/qmgr[2371]: A0ABC13CFC6: from=<[hidden email]>, size=13910, nrcpt=1 (queue active)
Nov 26 07:19:01 s1 postfix/qmgr[2371]: E25BA13C3C2: from=<[hidden email]>, size=14251, nrcpt=1 (queue active)
Nov 26 07:19:01 s1 amavis[20844]: (20844-15) Passed CLEAN {RelayedOutbound}, LOCAL [127.0.0.1] [194.0.251.103] <[hidden email]> -> <[hidden email]>, Message-ID: <[hidden email]>, mail_id: PrFsIhxDwQ_3, Hits: 0.719, size: 13896, queued_as: E25BA13C3C2, dkim_sd=dkim1024:allegro.pl, 281 ms
Nov 26 07:19:03 s1 postfix/smtp[24219]: 260C013CFC6: host in.hes.trendmicro.eu[52.28.255.96] said: 450 4.7.1 <[hidden email]>: Recipient address rejected: Ratelimit (in reply to RCPT TO command)
Nov 26 07:19:03 s1 postfix/smtp[24219]: 260C013CFC6: to=<[hidden email]>, relay=in.hes.trendmicro.eu[52.58.62.239]:25, delay=0.49, delays=0.01/0/0.44/0.03, dsn=4.7.1, status=deferred (host in.hes.trendmicro.eu[52.58.62.239] said: 450 4.7.1 <[hidden email]>: Recipient address rejected: Ratelimit (in reply to RCPT TO command))
Nov 26 07:23:42 s1 postfix/smtp[30244]: 5134B13C56C: host in.hes.trendmicro.eu[52.28.255.96] said: 450 4.7.1 <[hidden email]>: Recipient address rejected: Ratelimit (in reply to RCPT TO command)
Nov 26 07:23:42 s1 postfix/smtp[30247]: D412713D4F7: host in.hes.trendmicro.eu[52.58.62.239] said: 450 4.7.1 <[hidden email]>: Recipient address rejected: Ratelimit (in reply to RCPT TO command)
Nov 26 07:23:42 s1 postfix/smtp[30245]: 8238913D001: host in.hes.trendmicro.eu[52.29.207.245] said: 450 4.7.1 <[hidden email]>: Recipient address rejected: Ratelimit (in reply to RCPT TO command)
Nov 26 07:23:42 s1 postfix/smtp[30248]: 001B213E8A9: host in.hes.trendmicro.eu[52.29.207.245] said: 450 4.7.1 <[hidden email]>: Recipient address rejected: Ratelimit (in reply to RCPT TO command)
Nov 26 07:23:43 s1 postfix/smtp[30246]: 1766113E056: host in.hes.trendmicro.eu[52.58.62.239] said: 450 4.7.1 <[hidden email]>: Recipient address rejected: Ratelimit (in reply to RCPT TO command)
Nov 26 07:23:43 s1 postfix/smtp[30244]: 5134B13C56C: to=<[hidden email]>, relay=in.hes.trendmicro.eu[52.29.207.245]:25, delay=34077, delays=34076/0.05/0.53/0.03, dsn=4.7.1, status=deferred (host in.hes.trendmicro.eu[52.29.207.245] said: 450 4.7.1 <[hidden email]>: Recipient address rejected: Ratelimit (in reply to RCPT TO command))


--
Pozdrawiam / Best Regards
Piotr Bracha
I have found some useful commands:
mailq
postcat -q <ID>

Using second one I examined one of suspicious messages and what I got:
[hidden email] sends email with information about some payment and this mail is probably redirected or something to another mailbox. Redirection to private mailbox set by user on my server. But - probably - there is some missing or wrong letter in mailbox name so all bounced emails stuck in queue with error:
Diagnostic-Code: smtp; 511 sorry, no mailbox here by that name / skrzynka pocztowa odbiorcy nie istnieje (#5.1.1 - vuser)
And these origins from my server, from mailer daemon. I am not 100% sure I understood properly whole log about specific message but if you would like to help I can paste headers.

--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: a lot of spam or something?

Matus UHLAR - fantomas
On 26.11.18 08:11, Poliman - Serwis wrote:
>I have found some useful commands:
>mailq
>postcat -q <ID>
>
>Using second one I examined one of suspicious messages and what I got:
>[hidden email] sends email with information about some payment

a spam probably...

> and
>this mail is probably redirected or something to another mailbox.

user setting probably

>Redirection to private mailbox set by user on my server. But - probably -
>there is some missing or wrong letter in mailbox name so all bounced emails
>stuck in queue with error:
>Diagnostic-Code: smtp; 511 sorry, no mailbox here by that name / skrzynka
>pocztowa odbiorcy nie istnieje (#5.1.1 - vuser)
>And these origins from my server, from mailer daemon. I am not 100% sure I
>understood properly whole log about specific message but if you would like
>to help I can paste headers.

pastebin probably, if the error message itself does not explain what's
happening.

I guess you got all you really need to handle the problem.
- fix invalid forward/redirect

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Posli tento mail 100 svojim znamim - nech vidia aky si idiot
Send this email to 100 your friends - let them see what an idiot you are
Reply | Threaded
Open this post in threaded view
|

Re: a lot of spam or something?

Poliman - Serwis


śr., 28 lis 2018 o 12:18 Matus UHLAR - fantomas <[hidden email]> napisał(a):
On 26.11.18 08:11, Poliman - Serwis wrote:
>I have found some useful commands:
>mailq
>postcat -q <ID>
>
>Using second one I examined one of suspicious messages and what I got:
>[hidden email] sends email with information about some payment

a spam probably...

> and
>this mail is probably redirected or something to another mailbox.

user setting probably

>Redirection to private mailbox set by user on my server. But - probably -
>there is some missing or wrong letter in mailbox name so all bounced emails
>stuck in queue with error:
>Diagnostic-Code: smtp; 511 sorry, no mailbox here by that name / skrzynka
>pocztowa odbiorcy nie istnieje (#5.1.1 - vuser)
>And these origins from my server, from mailer daemon. I am not 100% sure I
>understood properly whole log about specific message but if you would like
>to help I can paste headers.

pastebin probably, if the error message itself does not explain what's
happening.

I guess you got all you really need to handle the problem.
- fix invalid forward/redirect

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Posli tento mail 100 svojim znamim - nech vidia aky si idiot
Send this email to 100 your friends - let them see what an idiot you are
Yes, I have fixed it in day when I found out posted information. Now it's ok. It was wrong letter in redirection to private client's mail.

--
Pozdrawiam / Best Regards
Piotr Bracha