Came home to find 320 emails showing waiting for me from webmaster@[oneofmydomains.com]

Checked and there was someone connected to my MDaemon pumping message after message into my system spoofing the from address as the webmaster one and because that was aliased to my main address it was accepted.

I think that the only reason it happened was that although the address was aliased to my main one, I didn't have the [oneofmydomains.com] actually specified as a secondary domain within MDaemon.

I added it, removed the alias and it appears to have stopped - There are still connections trying to come in that are being refused by Tarpit so I'm hoping that once whoever was doing it realises that the hole has been patched that they'll stop.

Luckily I don't think anything got out. I'm not blacklisted anywhere which would happen fairly quickly if it had done.

Bastards :(

*hugs*

They suck.

Glad you fixed it though

Bastards :(

Exumptly!

Grr :(

Lots of connections from that IP are still coming in, but the tweaks I've made to MDaemon have stopped anything nasty happening. I've got fed up with all the attempts so I've firewalled that address in my router :)

/edit - Hmm, firewall rule isn't working :(

Hmm, tweaking the config in the router wouldn't block it, which is a pain. That meant it was trying to connect and send mail and after a set number of failed attempts, MDaemon would Tarpit it and not allow connections for 20 minutes, then it'd try again.

I've now added a specific block to that IP within MDaemon and also added a DNSBL lookup to http://korea.services.net/ as it's a Korean IP that's trying to connect.

Nightmare :(

Surely there's a problem with your firewall if you cant block it at IP level there? That's what I'd be working on.

I've never had much luck with the firewall built into the router. I'll need to have a look at the manual for it before playing again.

The self-induced hole in MDaemon has been fixed, it's just a case now of persuading them that they're not getting back in.

I'm with Daz, but then I know how easy it is to set up an IP block on my router - done it several times now.

What doesn't help is that they're using multiple IP ranges so if I'm not there to manually add them all it wouldn't matter anyway.

So now they're connecting, they try and fire off a mail, it gets rejected straight away because of my tweaks and because they fail the DNSBL lookup, then after 3 rejects they get tarpitted for 20 minutes and if they don't get done for that then they get done for 10 rapid connections.

(note, none have actually got as far as DNSBL or the 3 rejects, but that's the possible route through :))

So nothing is getting in.

Which is priority one of course :) Be nice to stop it all before they even get to your mail server though. Are the IP's all on the same /24 perhaps?

Well there's a few different ranges so I'm not sure - The most prevalent one I've had has been 61.36.105.145 but there are quite a few from 61.36.105.* and there are other ranges that I've not got a record of here.

Times like this you almost get to the point of wanting to do a DoS attack on them to ask, "How does it feel?!?!?"

Or am I the only one?...... ;)

The attempts stopped after roughly 24 hours and there were a few attempts from a completely different IP range a few hours afterwards for an hour or so.

Hopefully that's it now.