Topic: Being attacked from hundreds of IP-addresses from mx-platform.com

[holck]

Recently my small server is experiencing thousands of daily attacks from hundreds of different IP-addresses, all apparently belonging to mx-platform.com or mxplatform.com.

In /var/log/qpsmtpd/current it looks like this (I have anonymized my domain name):

Code: [Select]

2013-02-16 09:45:26.241597500 20208 check_goodrcptto plugin (rcpt): recipient ttixx@mydomain.dk denied
2013-02-16 09:45:26.242350500 20208 logging::logterse plugin (deny): ` 193.183.136.23   confirm13b.mx-platform.com      confirm13b.mx-platform.com      <double-bounce@confirm13b.mx-platform.com>      <ib@mydomain.dk>      check_goodrcptto        901     relaying denied ttixx@mydomain.dk
     msg denied before queued
2013-02-16 09:45:27.650314500 20217 check_goodrcptto plugin (rcpt): recipient uqkjkmg@mydomain.dk denied
2013-02-16 09:45:27.651059500 20217 logging::logterse plugin (deny): ` 193.182.122.92   confirm18e.mxplatform.com       confirm18e.mxplatform.com
       <double-bounce@confirm18e.mxplatform.com>       <ib@mydomain.dk>      check_goodrcptto        901    relaying denied uqkjkmg@mydomain.dk   msg denied before queued

As you can see, the server politely responds "relaying denied" every time, but the attack can make me a little nervous. Any comments or advice?

Jesper Holck
Denmark

[Stefano]

yes

take a deep breath and relax

[Jáder]

or you can block those ip addressess ...using an iptables or a firewall (if you have one).
Maybe if you block connection to your server they will stop boring you.

Be warned you can get more you wish and cannot receive e-mail/web access from those sites too!

Jáder

[holck]

Thanks for the advice. I have taken a deep breath, relaxed, and done a little statistics. The attack continues, but as for now the numbers are:
12,305 attempts from 316 different IP addresses, all registered under mx-platform.com or mxplatform.com. These domains are registered by Go Daddy, I have reported the incident there.

I guess that this kind of coordinated attack must require the attacker to control hundreds of computers belonging to mxplatform.com and mx-platform.com, this is a little scary, I think. The attack seems pretty dumb, they just try to send mail to users with apparently random names: tqwwzl, nlcdky, frvoqjg etc. Each name is tried only once.

The server rolls on nicely

[purvis]

Is your domain registered with Go Daddy?

[holck]

No, my domain is not registered with Go Daddy, it is registered with the Danish company Nettonet. But I used Go Daddy to provide SSL-certificates until 2009, then I switched to RapidSSL.