I was in the mail logs yesterday when I noticed the following messages, only there were more like 10,000 odd hits:
Jun 21 10:47:10 exi-svr-2 dovecot: pop3-login: Disconnected: user=<tori>, method=PLAIN, rip=67.228.94.206, lip=xxx.xxx.xxx.xxx
Jun 21 10:47:10 exi-svr-2 dovecot: pop3-login: Disconnected: user=<last>, method=PLAIN, rip=67.228.94.206, lip=xxx.xxx.xxx.xxx
I added 67.228.94.206 to my firewall like so
iptables -I RH-Firewall-1-INPUT -s 67.228.94.206 -j DROP
service ip tables save
The attack stopped straight away, however in the process it managed to successfully obtain a user account and started spoofing with it. I deleted that user account, however it appears that it is still being spoofed as I am getting flooded with bounce emails from various mailservers:
Jun 22 15:08:08 exi-svr-2 postfix/smtp[27219]: connect to vahoo.com[216.151.212.175]: Connection refused (port 25)
Jun 22 15:08:07 exi-svr-2 postfix/smtp[27158]: connect to mail.gamdak.co.za[196.215.56.13]: Connection refused (port 25)
Jun 22 15:08:07 exi-svr-2 postfix/smtp[27169]: A72A61068460: to=<[email protected]>, relay=none, delay=33839, delays=33839/0.13/0.51/0, dsn=4.4.1, status=deferred (connect to keywordranking.com[208.87.35.105]: Connection refused)
Jun 22 15:08:07 exi-svr-2 postfix/smtp[27169]: connect to keywordranking.com[208.87.35.105]: Connection refused (port 25)
Jun 22 15:08:07 exi-svr-2 postfix/smtp[27179]: 40A9C1068515: to=<[email protected]>, relay=none, delay=32038, delays=32038/0.22/0.19/0, dsn=4.4.1, status=deferred (connect to graintech-makeway.com[50.116.103.74]: Connection refused)
I'm not entirely sure how to go about fixing this and the preventive measures I need to take to stop this happening going forward. I have read elsewhere that this kind of thing is unavoidable and can pretty much ignored by not trapping these messages on the log. I'm not entirely comfortable with that solution.
I'm running CentOS 5.6 with Postfix, Dovecot, AMaViS, SpamAssassin, and ClamAV.
