Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Strange behaviour, abuse report gets rejected by mail server
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Strange behaviour, abuse report gets rejected by mail server

RaymiiRaymii Member
edited June 2012 in Help

Howdy,

While analyzing my log files from http://raymii.org I saw some very strange behaviour. Recently I put up a mobile version of the website. I had a page where you could make short URL's. The mobile version has the same pages, just different layout.

Now that mobile page (http://raymii.org/cms/m.php?title=surl) gets hammererd by chinese IP's. Look:
58 113.108.201.189
67 210.211.109.144
67 210.211.109.147
73 196.40.15.83
79 80.191.248.253
81 219.157.200.19
97 68.224.80.105
100 91.121.87.182
114 80.63.56.147
136 180.168.155.250
295 218.7.191.182
346 95.82.78.5
374 85.194.84.197
559 221.234.24.46

Via:
cat /var/log/lighttpd/access.log | grep "surl" | grep "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1" | egrep -o '[[:digit:]]{1,3}.[[:digit:]]{1,3}.[[:digit:]]{1,3}.[[:digit:]]{1,3}' | tr [:space:] '\n' | grep -v "^\s*$" | sort | uniq -c | sort -bnr

This is from 1 day (yesterday), and while this grep only goes for this user agent (Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1) all the visitors with that user agent only visit that page. I do not get any PHP errors or anything.

Now I've reported to the abuse addresses from these IP's, but I all get these kinds of errors from gapps:

Delivery to the following recipient failed permanently:

 [email protected]

Technical details of permanent failure: 
Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 domain [relst.nl] not allowed.

The IP's are blocked in lighttpd and IPtables, the user agent also. (just done that, hope it helps). My servers does not have a lot of extra load or so, I just don't like my bandwith going away.

What more can I do?

(Oh, btw, I'm on the night shift this week, so I'll be sleeping for a few hours in a minute, could take a while before I reply)

Comments

Sign In or Register to comment.