Atacante vem de
xxx@yyy ~ $ host phpwzym.com
phpwzym.com has address 95.140.38.3
phpwzym.com mail is handled by 10 95.140.39.1010.
xxx@yyy ~ $ whois 95.140.38.3
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '95.140.38.0 - 95.140.38.255'
% Abuse contact for '95.140.38.0 - 95.140.38.255' is '[email protected]'
inetnum: 95.140.38.0 - 95.140.38.255
netname: TERATRADE-NET
descr: VPS SERVERS
country: HU
admin-c: TK6395-RIPE
tech-c: TK6395-RIPE
status: ASSIGNED PA
mnt-by: KGY-MNT
mnt-by: TK6395-MNT
mnt-routes: TK6395-MNT
created: 2015-03-10T11:12:04Z
last-modified: 2015-05-21T19:34:36Z
source: RIPE # Filtered
role: Teratrade Kft
address: Hungary
address: 1123 Budapest
address: Nagyt�t�nyi �t 190.
phone: +36303654560
abuse-mailbox: [email protected]
nic-hdl: TK6395-RIPE
mnt-by: TK6395-MNT
created: 2015-03-12T16:01:42Z
last-modified: 2015-03-17T14:48:56Z
source: RIPE # Filtered
Teratrade também permite a criação de registros de dns falsos
phpwzym.com mail is handled by 10 95.140.39.1010.
Com o seu firewall, você pode bloquear o acesso a partir deste host ou deste network
UFW
sudo ufw enable
# for host
sudo ufw deny from 95.140.39.xxx
# for network
sudo ufw deny from 95.140.39.xxx/24
# allow all other to connect on port 25 aka smtp port
sudo ufw allow 25
# allow other port's
sudo ufw allow 110 # pop3 port
sudo ufw allow xxx # for xxx port
Você não vê mais nenhuma conexão porque as mensagens estão na fila e aguardam a entrega.
O comando para esvaziar a fila no postfix é
sudo postsuper -d ALL