I have a Postfix mail server running on my eMac, and been looking at /var/log/mail.log.

I am new to administrating a mail server.

I notice some servers tried to relay messages to unkown recipients in my server, and my Postfix denied access. The "from" and "rcpt to" look very phony.

I did a whois and Ip. And got an answer that these servers are from China and elsewhere.

Don't know exactly what these guys are trying to do with my server. But I blocked their IPs using "sudo ipfw add deny log ip from 111.222.333.444 to any"

Checked my system with "last" command on the terminal, and my firewall is up.

My guess is that they are collecting domain names using the smtp protocol. Next step they might just try to capture the users of server by making requests using a dictionary word followed by @mydomain. The ones that are accepted, they will write on a list. Am I right?

Questions:

1) What are these guys trying to do?

2) Blocking their IPs is relevant or just a waste of time?

3) Can they ruine my low band (64k)?

4) Should I expect them to come back with other requests on my server?

5) What can I do about this to protect my system?

Thanks for your comments...

Bernardo Höhl
Rio de Janeiro - Brazil

blocking their ip at the firewall is the right thing to do. however theres gonna be other people that are gonna try the same thing. you could write a daemon to moniter the mail log file, and for every relay request that is denied you could add the originating ip to the list of ip's to be blocked.

Thanks for your post Norsk!

You have been very helpfull.

no prob.