Mail spamming or attack?

Hello everyone, I guess my VPS getting attacked by spammer. I noticed that within few hours time my mail log consists of numerous mail attempts from spammer.

My VPS has 2 core CPU with 4GB RAM; and has the clamav, spamassasin, amavis, & csf installed.

Anyone has the idea to get rid of this issue? Thanks.

Apr 29 21:50:19 server postfix/smtpd[20419]: disconnect from host-92-27-2-84.static.as13285.net[92.27.2.84]
Apr 29 21:50:20 server postfix/smtpd[20416]: NOQUEUE: reject: RCPT from LStLambert-657-1-68-104.w80-13.abo.wanadoo.fr[80.13.44.104]: 454 4.7.1 Service unavailable; Client host [80.13.44.104] blocked using dnsbl.sorbs.net; Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?80.13.44.104; from=<> to=<Marrero_Cecil@domain.com> proto=ESMTP helo=<EX16.SUR-INTERNET.COM>
Apr 29 21:50:21 server postfix/smtpd[20416]: disconnect from LStLambert-657-1-68-104.w80-13.abo.wanadoo.fr[80.13.44.104]
Apr 29 21:50:24 server postfix/smtpd[20419]: connect from exchange.swissfilms.ch[213.200.251.180]
Apr 29 21:50:25 server postfix/smtpd[20419]: setting up TLS connection from exchange.swissfilms.ch[213.200.251.180]
Apr 29 21:50:25 server postfix/smtpd[20416]: connect from mail.sadler.at[80.123.104.70]
Apr 29 21:50:25 server postfix/smtpd[20419]: Anonymous TLS connection established from exchange.swissfilms.ch[213.200.251.180]: TLSv1 with cipher AES256-SHA (256/256 bits)
Apr 29 21:50:25 server postfix/smtpd[20709]: connect from dataclarityinc.com[96.255.180.21]
Apr 29 21:50:25 server postfix/smtpd[20416]: setting up TLS connection from mail.sadler.at[80.123.104.70]
Apr 29 21:50:26 server postfix/smtpd[20709]: setting up TLS connection from dataclarityinc.com[96.255.180.21]
Apr 29 21:50:26 server policyd-spf[20494]: None; identity=helo; client-ip=213.200.251.180; helo=exchange.swissfilms.ch; envelope-from=<>; receiver=numbers_danial@domain.com
Apr 29 21:50:26 server postfix/smtpd[20419]: NOQUEUE: reject: RCPT from exchange.swissfilms.ch[213.200.251.180]: 450 4.1.1 <numbers_danial@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<numbers_danial@domain.com> proto=ESMTP helo=<exchange.swissfilms.ch>
Apr 29 21:50:26 server postfix/smtpd[20416]: Anonymous TLS connection established from mail.sadler.at[80.123.104.70]: TLSv1 with cipher AES128-SHA (128/128 bits)
Apr 29 21:50:26 server postfix/smtpd[20709]: Anonymous TLS connection established from dataclarityinc.com[96.255.180.21]: TLSv1 with cipher AES256-SHA (256/256 bits)
Apr 29 21:50:26 server postfix/smtpd[20718]: connect from smtpmail.mih.org.uk[82.69.46.97]
Apr 29 21:50:26 server postfix/smtpd[20419]: disconnect from exchange.swissfilms.ch[213.200.251.180]
Apr 29 21:50:27 server policyd-spf[20721]: None; identity=helo; client-ip=96.255.180.21; helo=nassaugrouper.dataclarityinc.com; envelope-from=<>; receiver=penn_jewell@domain.com
Apr 29 21:50:27 server postfix/smtpd[20709]: NOQUEUE: reject: RCPT from dataclarityinc.com[96.255.180.21]: 450 4.1.1 <Penn_Jewell@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Penn_Jewell@domain.com> proto=ESMTP helo=<NassauGrouper.DataClarityinc.com>
Apr 29 21:50:27 server policyd-spf[20723]: None; identity=helo; client-ip=80.123.104.70; helo=mail.sadler.at; envelope-from=<>; receiver=knox_gretchen@domain.com
Apr 29 21:50:27 server postfix/smtpd[20416]: NOQUEUE: reject: RCPT from mail.sadler.at[80.123.104.70]: 450 4.1.1 <Knox_Gretchen@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Knox_Gretchen@domain.com> proto=ESMTP helo=<mail.sadler.at>
Apr 29 21:50:27 server postfix/smtpd[20709]: disconnect from dataclarityinc.com[96.255.180.21]
Apr 29 21:50:27 server postfix/smtpd[20718]: setting up TLS connection from smtpmail.mih.org.uk[82.69.46.97]
Apr 29 21:50:27 server postfix/smtpd[20416]: disconnect from mail.sadler.at[80.123.104.70]
Apr 29 21:50:28 server postfix/smtpd[20718]: Anonymous TLS connection established from smtpmail.mih.org.uk[82.69.46.97]: TLSv1 with cipher AES256-SHA (256/256 bits)
Apr 29 21:50:28 server policyd-spf[20725]: None; identity=helo; client-ip=82.69.46.97; helo=smtpmail.mih.org.uk; envelope-from=<>; receiver=ott_dawn@domain.com
Apr 29 21:50:29 server postfix/smtpd[20718]: NOQUEUE: reject: RCPT from smtpmail.mih.org.uk[82.69.46.97]: 450 4.1.1 <Ott_Dawn@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Ott_Dawn@domain.com> proto=ESMTP helo=<smtpmail.mih.org.uk>
Apr 29 21:50:29 server postfix/smtpd[20718]: disconnect from smtpmail.mih.org.uk[82.69.46.97]
Apr 29 21:50:30 server postfix/smtpd[20419]: connect from unknown[110.4.44.55]
Apr 29 21:50:30 server postfix/smtpd[20419]: NOQUEUE: reject: RCPT from unknown[110.4.44.55]: 450 4.7.1 Client host rejected: cannot find your hostname, [110.4.44.55]; from=<info@trainingzone.com.my> to=<cyrus@domain.com> proto=ESMTP helo=<server1trainingzonecommy>
Apr 29 21:50:30 server postfix/smtpd[20419]: disconnect from unknown[110.4.44.55]
Apr 29 21:50:30 server postfix/smtpd[20709]: connect from dataclarityinc.com[96.255.180.21]
Apr 29 21:50:31 server postfix/smtpd[20709]: setting up TLS connection from dataclarityinc.com[96.255.180.21]
Apr 29 21:50:31 server postfix/smtpd[20709]: Anonymous TLS connection established from dataclarityinc.com[96.255.180.21]: TLSv1 with cipher AES256-SHA (256/256 bits)
Apr 29 21:50:31 server policyd-spf[20721]: None; identity=helo; client-ip=96.255.180.21; helo=nassaugrouper.dataclarityinc.com; envelope-from=<>; receiver=penn_jewell@domain.com
Apr 29 21:50:31 server postfix/smtpd[20709]: NOQUEUE: reject: RCPT from dataclarityinc.com[96.255.180.21]: 450 4.1.1 <Penn_Jewell@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Penn_Jewell@domain.com> proto=ESMTP helo=<NassauGrouper.DataClarityinc.com>
Apr 29 21:50:31 server policyd-spf[20721]: None; identity=helo; client-ip=96.255.180.21; helo=nassaugrouper.dataclarityinc.com; envelope-from=<>; receiver=penn_jewell@domain.com
Apr 29 21:50:31 server postfix/smtpd[20709]: NOQUEUE: reject: RCPT from dataclarityinc.com[96.255.180.21]: 450 4.1.1 <Penn_Jewell@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Penn_Jewell@domain.com> proto=ESMTP helo=<NassauGrouper.DataClarityinc.com>
Apr 29 21:50:32 server postfix/smtpd[20419]: warning: 88.98.35.173: hostname c.fairfieldhigh.tameside.sch.uk verification failed: Name or service not known
Apr 29 21:50:32 server postfix/smtpd[20419]: connect from unknown[88.98.35.173]
Apr 29 21:50:32 server postfix/smtpd[20709]: disconnect from dataclarityinc.com[96.255.180.21]
Apr 29 21:50:32 server postfix/smtpd[20419]: setting up TLS connection from unknown[88.98.35.173]
Apr 29 21:50:33 server postfix/smtpd[20419]: Anonymous TLS connection established from unknown[88.98.35.173]: TLSv1 with cipher AES256-SHA (256/256 bits)
Apr 29 21:50:33 server postfix/smtpd[20419]: NOQUEUE: reject: RCPT from unknown[88.98.35.173]: 450 4.7.1 Client host rejected: cannot find your hostname, [88.98.35.173]; from=<> to=<Bowden_Jeanie@domain.com> proto=ESMTP helo=<exchange.fairfieldhs.local>
Apr 29 21:50:34 server postfix/smtpd[20419]: disconnect from unknown[88.98.35.173]
Apr 29 21:50:40 server postfix/smtpd[20718]: connect from mail.medizin-hst.de[92.79.186.50]
Apr 29 21:50:40 server postfix/smtpd[20416]: connect from mona.bmstech.com.au[203.33.248.10]
Apr 29 21:50:40 server postfix/smtpd[20416]: setting up TLS connection from mona.bmstech.com.au[203.33.248.10]
Apr 29 21:50:41 server postfix/smtpd[20718]: setting up TLS connection from mail.medizin-hst.de[92.79.186.50]
Apr 29 21:50:41 server postfix/smtpd[20416]: Anonymous TLS connection established from mona.bmstech.com.au[203.33.248.10]: TLSv1 with cipher AES256-SHA (256/256 bits)
Apr 29 21:50:41 server policyd-spf[20723]: None; identity=helo; client-ip=203.33.248.10; helo=mail.bmstech.com.au; envelope-from=<>; receiver=raymond_elmo@domain.com
Apr 29 21:50:41 server postfix/smtpd[20416]: NOQUEUE: reject: RCPT from mona.bmstech.com.au[203.33.248.10]: 450 4.1.1 <Raymond_Elmo@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Raymond_Elmo@domain.com> proto=ESMTP helo=<mail.bmstech.com.au>
Apr 29 21:50:41 server postfix/smtpd[20718]: Anonymous TLS connection established from mail.medizin-hst.de[92.79.186.50]: TLSv1 with cipher AES128-SHA (128/128 bits)
Apr 29 21:50:41 server policyd-spf[20723]: None; identity=helo; client-ip=203.33.248.10; helo=mail.bmstech.com.au; envelope-from=<>; receiver=raymond_elmo@domain.com
Apr 29 21:50:41 server postfix/smtpd[20416]: NOQUEUE: reject: RCPT from mona.bmstech.com.au[203.33.248.10]: 450 4.1.1 <Raymond_Elmo@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Raymond_Elmo@domain.com> proto=ESMTP helo=<mail.bmstech.com.au>
Apr 29 21:50:42 server postfix/smtpd[20416]: disconnect from mona.bmstech.com.au[203.33.248.10]
Apr 29 21:50:42 server policyd-spf[20725]: None; identity=helo; client-ip=92.79.186.50; helo=mail.medizin-hst.de; envelope-from=<>; receiver=cummins_susie@domain.com
Apr 29 21:50:42 server postfix/smtpd[20718]: NOQUEUE: reject: RCPT from mail.medizin-hst.de[92.79.186.50]: 450 4.1.1 <Cummins_Susie@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Cummins_Susie@domain.com> proto=ESMTP helo=<mail.medizin-hst.de>
Apr 29 21:50:43 server postfix/smtpd[20718]: disconnect from mail.medizin-hst.de[92.79.186.50]
Apr 29 21:50:56 server postfix/smtpd[20709]: connect from polara1.lnk.telstra.net[165.228.174.43]
Apr 29 21:50:56 server postfix/smtpd[20416]: connect from static-198-181.grapevine.transact.net.au[121.127.198.181]
Apr 29 21:50:57 server postfix/smtpd[20416]: setting up TLS connection from static-198-181.grapevine.transact.net.au[121.127.198.181]
Apr 29 21:50:57 server postfix/smtpd[20709]: setting up TLS connection from polara1.lnk.telstra.net[165.228.174.43]
Apr 29 21:50:57 server postfix/smtpd[20416]: Anonymous TLS connection established from static-198-181.grapevine.transact.net.au[121.127.198.181]: TLSv1 with cipher AES128-SHA (128/128 bits)
Apr 29 21:50:57 server postfix/smtpd[20419]: connect from exchange.leupamed.at[80.123.184.238]
Apr 29 21:50:57 server postfix/smtpd[20709]: Anonymous TLS connection established from polara1.lnk.telstra.net[165.228.174.43]: TLSv1 with cipher AES128-SHA (128/128 bits)
Apr 29 21:50:57 server policyd-spf[20723]: None; identity=helo; client-ip=121.127.198.181; helo=remote.patriotalliance.com.au; envelope-from=<>; receiver=robles_robt@domain.com
Apr 29 21:50:57 server postfix/smtpd[20416]: NOQUEUE: reject: RCPT from static-198-181.grapevine.transact.net.au[121.127.198.181]: 450 4.1.1 <Robles_Robt@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Robles_Robt@domain.com> proto=ESMTP helo=<remote.patriotalliance.com.au>
Apr 29 21:50:58 server postfix/smtpd[20419]: setting up TLS connection from exchange.leupamed.at[80.123.184.238]
Apr 29 21:50:58 server postfix/smtpd[20416]: disconnect from static-198-181.grapevine.transact.net.au[121.127.198.181]
Apr 29 21:50:58 server policyd-spf[20721]: None; identity=helo; client-ip=165.228.174.43; helo=mail.orbitaltraffic.com.au; envelope-from=<>; receiver=howe_shelley@domain.com
Apr 29 21:50:58 server postfix/smtpd[20709]: NOQUEUE: reject: RCPT from polara1.lnk.telstra.net[165.228.174.43]: 450 4.1.1 <Howe_Shelley@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Howe_Shelley@domain.com> proto=ESMTP helo=<mail.orbitaltraffic.com.au>
Apr 29 21:50:58 server postfix/smtpd[20718]: connect from static-84-9-16-58.vodafonexdsl.co.uk[84.9.16.58]
Apr 29 21:50:58 server postfix/smtpd[20419]: Anonymous TLS connection established from exchange.leupamed.at[80.123.184.238]: TLSv1 with cipher AES256-SHA (256/256 bits)
Apr 29 21:50:58 server policyd-spf[20721]: None; identity=helo; client-ip=165.228.174.43; helo=mail.orbitaltraffic.com.au; envelope-from=<>; receiver=howe_shelley@domain.com
Apr 29 21:50:58 server postfix/smtpd[20709]: NOQUEUE: reject: RCPT from polara1.lnk.telstra.net[165.228.174.43]: 450 4.1.1 <Howe_Shelley@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Howe_Shelley@domain.com> proto=ESMTP helo=<mail.orbitaltraffic.com.au>
Apr 29 21:50:58 server postfix/smtpd[20416]: connect from static-100-0-172-19.bstnma.fios.verizon.net[100.0.172.19]
Apr 29 21:50:58 server policyd-spf[20721]: None; identity=helo; client-ip=165.228.174.43; helo=mail.orbitaltraffic.com.au; envelope-from=<>; receiver=howe_shelley@domain.com
Apr 29 21:50:58 server postfix/smtpd[20709]: NOQUEUE: reject: RCPT from polara1.lnk.telstra.net[165.228.174.43]: 450 4.1.1 <Howe_Shelley@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Howe_Shelley@domain.com> proto=ESMTP helo=<mail.orbitaltraffic.com.au>
Apr 29 21:50:58 server postfix/smtpd[20718]: setting up TLS connection from static-84-9-16-58.vodafonexdsl.co.uk[84.9.16.58]
Apr 29 21:50:59 server postfix/smtpd[20797]: connect from diy2247803.lnk.telstra.net[139.130.128.94]
Apr 29 21:50:59 server postfix/smtpd[20416]: setting up TLS connection from static-100-0-172-19.bstnma.fios.verizon.net[100.0.172.19]
Apr 29 21:50:59 server postfix/smtpd[20709]: disconnect from polara1.lnk.telstra.net[165.228.174.43]
Apr 29 21:50:59 server postfix/smtpd[20718]: Anonymous TLS connection established from static-84-9-16-58.vodafonexdsl.co.uk[84.9.16.58]: TLSv1 with cipher AES256-SHA (256/256 bits)
Apr 29 21:50:59 server policyd-spf[20494]: None; identity=helo; client-ip=80.123.184.238; helo=exchange.leupamed.at; envelope-from=<>; receiver=hendricks_garth@domain.com
Apr 29 21:50:59 server postfix/smtpd[20419]: NOQUEUE: reject: RCPT from exchange.leupamed.at[80.123.184.238]: 450 4.1.1 <Hendricks_Garth@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Hendricks_Garth@domain.com> proto=ESMTP helo=<exchange.leupamed.at>
Apr 29 21:50:59 server postfix/smtpd[20797]: setting up TLS connection from diy2247803.lnk.telstra.net[139.130.128.94]
Apr 29 21:50:59 server postfix/smtpd[20416]: Anonymous TLS connection established from static-100-0-172-19.bstnma.fios.verizon.net[100.0.172.19]: TLSv1 with cipher AES256-SHA (256/256 bits)
Apr 29 21:50:59 server policyd-spf[20494]: None; identity=helo; client-ip=80.123.184.238; helo=exchange.leupamed.at; envelope-from=<>; receiver=hendricks_garth@domain.com
Apr 29 21:50:59 server postfix/smtpd[20419]: NOQUEUE: reject: RCPT from exchange.leupamed.at[80.123.184.238]: 450 4.1.1 <Hendricks_Garth@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Hendricks_Garth@domain.com> proto=ESMTP helo=<exchange.leupamed.at>
Apr 29 21:50:59 server postfix/smtpd[20797]: Anonymous TLS connection established from diy2247803.lnk.telstra.net[139.130.128.94]: TLSv1 with cipher AES128-SHA (128/128 bits)
Apr 29 21:51:00 server policyd-spf[20725]: None; identity=helo; client-ip=84.9.16.58; helo=server2008.surveyassociatesltd.local; envelope-from=<>; receiver=peterson_jackson@domain.com
Apr 29 21:51:00 server postfix/smtpd[20718]: NOQUEUE: reject: RCPT from static-84-9-16-58.vodafonexdsl.co.uk[84.9.16.58]: 450 4.1.1 <Peterson_Jackson@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Peterson_Jackson@domain.com> proto=ESMTP helo=<server2008.surveyassociatesltd.local>
Apr 29 21:51:00 server policyd-spf[20723]: None; identity=helo; client-ip=100.0.172.19; helo=rxa-srv1.rxadvance.com; envelope-from=<>; receiver=jack_rosemarie@domain.com
Apr 29 21:51:00 server postfix/smtpd[20416]: NOQUEUE: reject: RCPT from static-100-0-172-19.bstnma.fios.verizon.net[100.0.172.19]: 450 4.1.1 <Jack_Rosemarie@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Jack_Rosemarie@domain.com> proto=ESMTP helo=<RXA-SRV1.RxAdvance.com>
Apr 29 21:51:00 server postfix/smtpd[20419]: disconnect from exchange.leupamed.at[80.123.184.238]
Apr 29 21:51:00 server postfix/smtpd[20709]: connect from remote.lowercolumbiacap.org[74.85.50.138]
Apr 29 21:51:00 server postfix/smtpd[20416]: disconnect from static-100-0-172-19.bstnma.fios.verizon.net[100.0.172.19]
Apr 29 21:51:00 server postfix/smtpd[20718]: disconnect from static-84-9-16-58.vodafonexdsl.co.uk[84.9.16.58]
Apr 29 21:51:00 server postfix/smtpd[20709]: setting up TLS connection from remote.lowercolumbiacap.org[74.85.50.138]
Apr 29 21:51:00 server policyd-spf[20808]: None; identity=helo; client-ip=139.130.128.94; helo=mail.diytiles.com.au; envelope-from=<>; receiver=drake_emil@domain.com
Apr 29 21:51:00 server postfix/smtpd[20797]: NOQUEUE: reject: RCPT from diy2247803.lnk.telstra.net[139.130.128.94]: 450 4.1.1 <Drake_Emil@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Drake_Emil@domain.com> proto=ESMTP helo=<mail.diytiles.com.au>
Apr 29 21:51:00 server postfix/smtpd[20709]: Anonymous TLS connection established from remote.lowercolumbiacap.org[74.85.50.138]: TLSv1 with cipher AES256-SHA (256/256 bits)

change your credentials

change your credentials

Hi Sandeep. Do you mean to change the password for every email accounts?

if possible do it and update the server

Anyone has the idea to get rid of this issue? Thanks.

I think no way to prevent spammer host trying to send spam mail to our server, unless you block the ip's....

if possible do it and update the server

I did that but nothing is help. 

However, after done some researches, I guess either fail2ban or csf might help to solve this issue.
For CSF, need to set the custom regex on CSF but I need someone helping me on the custom regex for detecting the patterns at below.

Apr 29 21:50:20 server postfix/smtpd[20416]: NOQUEUE: reject: RCPT from LStLambert-657-1-68-104.w80-13.abo.wanadoo.fr[80.13.44.104]: 454 4.7.1 Service unavailable; Client host [80.13.44.104] blocked using dnsbl.sorbs.net; Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?80.13.44.104; from=<> to=<Marrero_Cecil@domain.com> proto=ESMTP helo=<EX16.SUR-INTERNET.COM>
Apr 29 21:50:26 server postfix/smtpd[20419]: NOQUEUE: reject: RCPT from exchange.swissfilms.ch[213.200.251.180]: 450 4.1.1 <numbers_danial@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<numbers_danial@domain.com> proto=ESMTP helo=<exchange.swissfilms.ch>

I had this regex set in the file /etc/csf/regex.custom.pm, but it did not work.

if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\S+)\s+reject: RCPT from \S+: 450 4.1.1/))  {
      return ("SMTP spam attack",$1,"SMTP","1","1");
}

As for fail2ban, I enabled the [postfix-tcpwrapper] at /etc/fail2ban/jail.conf. And, in file /etc/fail2ban/filter.d/postfix.conf, I had the regex pattern set but nothing seems to work as nothing appended into file /etc/hosts.deny.

[postfix-tcpwrapper]
enabled  = true
filter   = postfix
action   = hostsdeny[file=/etc/hosts.deny]
logpath  = /var/log/postfix.log
bantime  = 604800
ignoreip = 127.0.0.1/8
findtime  = 300
maxretry = 1

failregex = reject: RCPT from .*\[<HOST>\]: 450 4.1.1
            .*postfix/\smtpd.*reject: RCPT from .*\[<HOST>\]: 450 4.1.1

Anyone can advise me on the regex pattern? Thanks.

My clients getting many spamm massge and today I saw that SpamAssasin is installed on CWP but not enabled.

you can add strict RBL in postfix config to block most spam emails.