[exim] How can I tell if my server is getting bombarded with…

Top Page
This message is part of the following thread:
M-\the complete thread tree sorted by date
M\M 
MMMike Oliveri at ->
Delete this message
Reply to this message
Author: Tommy Butler
Date:  
To: exim-users
Subject: [exim] How can I tell if my server is getting bombarded with spam?
I sit and watch the /var/log/exim4/mainlog today and it is full, and I
mean FULL of messages like these: 

    2004-12-14 12:04:28 1Ce1nJ-0002gD-5M == b12130528@???
    R=dnslookup_relay_to_domains T=remote_smtp defer (-53): retry time
    not reached for any host
    2004-12-14 12:04:28 1CdwSM-0005g7-Q9 Message is frozen
    2004-12-14 12:04:28 1Ce69H-0003CH-5W Message is frozen
    2004-12-14 12:04:28 1Ce8Yo-0007dy-Gc Message is frozen
    2004-12-14 12:04:28 1CeF9c-0007Kw-Qg Message is frozen
    2004-12-14 12:04:28 1CdawL-0008LS-Ks Message is frozen
    2004-12-14 12:04:28 1CdawT-0008NF-6n Message is frozen
    2004-12-14 12:04:28 1CdhsU-0000IN-08 Message is frozen
    2004-12-14 12:04:28 1Ce2ZC-0007Pp-14 Message is frozen
    2004-12-14 12:04:28 1Cdybx-0002ra-C8 == n12130407@???
    R=dnslookup_relay_to_domains T=remote_smtp defer (-53): retry time
    not reached for any host
    2004-12-14 12:04:28 1CdZLK-0003Lq-Vh Message is frozen
    2004-12-14 12:04:28 1CdaWp-0007AJ-Q1 Message is frozen
    2004-12-14 12:04:28 1Cdwxm-0007az-3c Message is frozen
    2004-12-14 12:04:28 1Cdit3-0007Z7-OB Message is frozen
    2004-12-14 12:04:28 1CdaX4-0007O7-1A Message is frozen
    2004-12-14 12:04:28 1Ce1Dm-0001eN-SX Message is frozen
    2004-12-14 12:04:28 1Ce1yl-0003KY-Et Message is frozen
    2004-12-14 12:04:28 1CdYbg-0000Ah-Jk Message is frozen
    2004-12-14 12:04:28 1Cd1GR-0005Rv-U5 == j12071758@???
    R=dnslookup_relay_to_domains T=remote_smtp defer (-53): retry time
    not reached for any host
    2004-12-14 12:04:28 1Ce21Z-0003kd-VH Message is frozen
    2004-12-14 12:04:28 1CdaFe-0003lW-4d Message is frozen
    2004-12-14 12:04:28 1CdZLM-0003MA-5U Message is frozen
    2004-12-14 12:04:34 1CeFWO-0000Mi-VY SMTP error from remote mailer
    after MAIL FROM:<> SIZE=3007: host mx.east.cox.net [68.1.17.3]: 452
    Message rejected
    2004-12-14 12:04:39 1CeFWO-0000Mi-VY == evocablehound@???
    R=dnslookup_relay_to_domains T=remote_smtp defer (0): SMTP error
    from remote mailer after MAIL FROM:<> SIZE=3007: host
    mx.west.cox.net [68.6.19.3]: 452 Message rejected
    2004-12-14 12:04:39 1CdkAv-0002ob-CE Message is frozen


...And the messages pour in by the hundreds each minute. Thoudsands and
thousands of strange email addresses appear that look very suspicious... 

    krush88@???
    powerboilerplate@???
    ljs98_2000@???
    hystericallyscar@???
    i12072102@???
    y12071839@???
    v12071322@???
    r12130419@???
    y12071756@???
    scythescoulomb@???
    scythescoulomb@???
    i12130502@???
    x12130357@???
    populatingpolished@???
    c12071458@???
    x12130357@???
    i12130310@???
    c12071633@???
    kuzru@???
    kugtf@???
    x12071425@???
    ponycracks@???
    mckj820@???
    g12072308@???
    ctipton@???
    i12130305@???
    leemyuree@???
    hotterhosiery@???
    humiliatesteat@???
    midsectionscurry@???
    hypothalamictempestuously@???
    ...the list goes on and on and on and on.


Are people trying to send seriously huge amounts of spam through my
server? I've installed spampd and spamassasin. I'm running bastille,
snort, psad, samhain, portsentry, clamav, tripwire, chkrootkit, all
kinds of security tools. What is going on?

--
Tommy Butler
tommy@??? <mailto:tommy@atrixnet.com>

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] DEFER: ldap search initiation failedRe: [exim] www.rellits.com ssl tutorial worked for courier, butnot exim->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)