![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
The persistent spammer and virus infected PC
Ah, the persistent spammer. I've written a check on my SMTP server that if it sees a certain number of rejected messages from one IP address in a day (between 4am and 4am, approx) then it will add that IP address to the firewall "DROP" (not "REJECT", just "DROP"; why waste my bandwidth sending back ICMP packets and letting them know quicker that their attempt failed) list
Last night this one triggered.
Nov 28 22:48:57 linode postfix/smtpd[14918]: connect from unknown[66.154.124.17]
Nov 28 22:48:57 linode postfix/smtpd[14918]: NOQUEUE: reject: RCPT from unknown[66.154.124.17]: 450 Client host rejected: cannot find your hostname, [66.154.124.17]; from=<bonushound@sixaces.com> to=<AKW@***MYDOMAIN***> proto=ESMTP helo=<mx1.sixaces.com>
Nov 28 22:48:59 linode postfix/smtpd[14918]: disconnect from unknown[66.154.124.17]
Looking at the logs it appears he has an old user list from when I ran Spuddy as a public access system and is sending mail to each address in order. Today alone the firewall has blocked 664 more attempts for spam from this site.
Some other people are persistent as well... The first 8 of these were triggered yesterday, the last 8 were triggered today.
I'd guess most of these are zombie'd or virus infected PCs (some persistently so; the ANancy address has shown up with variations the past 4 days; probably gets a new dynamic IP address each time it's turned on) but some are clearly spam runs. Wheee
Such fun on the internet!
Last night this one triggered.
Nov 28 22:48:57 linode postfix/smtpd[14918]: connect from unknown[66.154.124.17]
Nov 28 22:48:57 linode postfix/smtpd[14918]: NOQUEUE: reject: RCPT from unknown[66.154.124.17]: 450 Client host rejected: cannot find your hostname, [66.154.124.17]; from=<bonushound@sixaces.com> to=<AKW@***MYDOMAIN***> proto=ESMTP helo=<mx1.sixaces.com>
Nov 28 22:48:59 linode postfix/smtpd[14918]: disconnect from unknown[66.154.124.17]
Looking at the logs it appears he has an old user list from when I ran Spuddy as a public access system and is sending mail to each address in order. Today alone the firewall has blocked 664 more attempts for spam from this site.
Some other people are persistent as well... The first 8 of these were triggered yesterday, the last 8 were triggered today.
Rule=3 Count=62 source=pool-71-97-21-64.dfw.dsl-w.verizon.net Rule=4 Count=4 source=pool-68-237-192-16.ny325.east.verizon.net Rule=5 Count=60 source=pool-71-107-3-221.lsanca.dsl-w.verizon.net Rule=6 Count=152 source=65.110.13.68 Rule=7 Count=70 source=211.41.82.66 Rule=8 Count=664 source=mx1.goldfrenzy.com Rule=9 Count=25 source=217.12.160.5 Rule=10 Count=28 source=pool-71-106-189-7.lsanca.dsl-w.verizon.net Rule=11 Count=173 source=host86-136-15-252.range86-136.btcentralplus.com Rule=12 Count=72 source=202.64.192.178 Rule=13 Count=9 source=ANancy-153-1-21-80.w83-196.abo.wanadoo.fr Rule=14 Count=17 source=pool-68-237-231-152.ny325.east.verizon.net Rule=15 Count=3 source=205.142.62.24 Rule=16 Count=48 source=pool-71-109-50-107.lsanca.dsl-w.verizon.net Rule=17 Count=19 source=cpc3-nthc2-4-0-cust35.nrth.cable.ntl.com Rule=18 Count=6 source=pc17.tri-isys.com
I'd guess most of these are zombie'd or virus infected PCs (some persistently so; the ANancy address has shown up with variations the past 4 days; probably gets a new dynamic IP address each time it's turned on) but some are clearly spam runs. Wheee
Such fun on the internet!