External email attack

[VirtualOdin]

Please excuse any clumsy language but the problem I have is all a bit over my head...

So, in the last 48 hours, a Linux (2.6.9-023stab051.12-smp) server I run with Plesk (9.5.4) has started to be bombarded with emails trying, I think, to use my SMTP relay to send spam. My mail logs are full of this sort of thing.

Jul 25 02:28:08 myipaddress /var/qmail/bin/relaylock[3296]: /var/qmail/bin/relaylock: mail from 68.236.175.55:19970 (static-68-236-175-55.ny325.east.verizon.net)

I should add that they come from dozens of different domains.

For a while, I think because I had left relaying options set to 'authorisation is required' for both POP3 and SMTP, the logs suggested that some of these emails were actually being sent by the server. My server provider shut the relay once my daily limit had been exceeded. When it was restored, switching relaying to 'closed' in Plesk seems to have stopped the actual sending. I don't need it open, so I'll leave it closed.

Now I am just getting my mail logs clogged up with all this junk. Do I just live with that and hope the idiot trying to use my server goes away? Or should I take some further action?

I have not detected any performance issues, there is no mail queue backlog and mail() from PHP scripts still works fine.

I'd appreciate advice.

 

[matt-clements]

By the sound of things this was caused as your Mail Relay was left as open, and therefore your IP address was found by spammers and used (until you shutdown).

Now that this is fixed and locked down this is just a number of lists that hold your IP address or a hostname pointing to it and trying the server to see if it is still open (which it's not).

If they are connecting using the IP address as apposed to a Hostname, you could change the IP of your server (hosting providers should be able to help with this), or if they are connecting to a certain hostname then you could remove this from pointing to your server if possible.

Regards,
Matt