Greetings,

I got around 500 emails from watchdog@[my-email-server] in the last 3 days and do not understand much of it. Can you help me? There are no emails going in or out at this moment (or at least that I know of.) Our mail server consist only 5 people and we are all in the same office so we were checking while none of us were sending any emails. Hope to get some answers from you, thanks.

Few example are:
—— 1 —–
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See ripe.net Icon RIPE Database Terms and Conditions | Docs

ripe.net Icon ripe.net
RIPE Database Terms and Conditions | Docs
The Database Docs Center

% Note: this output has been filtered.
% To receive output for a database update, use the “-B” flag.

% Information related to ‘212.227.0.0 - 212.227.13.255’

% Abuse contact for ‘212.227.0.0 - 212.227.13.255’ is ‘abuse@oneandone.net

inetnum: 212.227.0.0 - 212.227.13.255
netname: IONOS-CUSTOMERS
descr: 1&1 IONOS SE
descr: NCC#1999110113
country: DE
admin-c: IPAD-RIPE
tech-c: IPOP-RIPE
status: ASSIGNED PA
mnt-by: AS8560-MNT
created: 2002-08-20T10:19:50Z
last-modified: 2020-11-30T17:13:35Z
source: RIPE # Filtered

role: IP Administration
address: 1&1 IONOS SE
admin-c: JR2342-RIPE
admin-c: SH15342-RIPE
tech-c: JR2342-RIPE
tech-c: SH15342-RIPE
nic-hdl: IPAD-RIPE
abuse-mailbox: abuse@oneandone.net
mnt-by: AS8560-MNT
created: 2009-05-20T17:24:09Z
last-modified: 2020-11-27T12:38:59Z
source: RIPE # Filtered

role: IP Operations
address: 1&1 IONOS SE
admin-c: JR2342-RIPE
admin-c: SH15342-RIPE
tech-c: JR2342-RIPE
tech-c: SH15342-RIPE
nic-hdl: IPOP-RIPE
abuse-mailbox: abuse@oneandone.net
mnt-by: AS8560-MNT
created: 2009-05-28T16:25:04Z
last-modified: 2020-11-27T12:40:30Z
source: RIPE # Filtered

% Information related to ‘212.227.0.0/16AS8560’

route: 212.227.0.0/16
descr: IONOS-PA-2
origin: AS8560
mnt-by: AS8560-MNT
created: 2011-04-27T14:38:19Z
last-modified: 2020-11-27T17:48:27Z
source: RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.102.3 (BLAARKOP)

—— 2 —–
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

apnic.net
http://www.apnic.net/db/dbcopyright.html
Retrieving...

% Information related to ‘60.166.0.0 - 60.175.255.255’

% Abuse contact for ‘60.166.0.0 - 60.175.255.255’ is ‘anti-spam@chinatelecom.cn

inetnum: 60.166.0.0 - 60.175.255.255
netname: CHINANET-AH
descr: CHINANET anhui province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
admin-c: CH93-AP
tech-c: JW89-AP
abuse-c: AC1573-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-AH
mnt-routes: MAINT-CHINANET-AH
mnt-irt: IRT-CHINANET-CN
last-modified: 2021-06-15T08:06:35Z
source: APNIC

irt: IRT-CHINANET-CN
address: No.31 ,jingrong street,beijing
address: 100032
e-mail: anti-spam@chinatelecom.cn
abuse-mailbox: anti-spam@chinatelecom.cn
admin-c: CH93-AP
tech-c: CH93-AP
auth: # Filtered
remarks: anti-spam@chinatelecom.cn was validated on 2022-02-14
mnt-by: MAINT-CHINANET
last-modified: 2022-02-14T07:13:12Z
source: APNIC

role: ABUSE CHINANETCN
address: No.31 ,jingrong street,beijing
address: 100032
country: ZZ
phone: +000000000
e-mail: anti-spam@chinatelecom.cn
admin-c: CH93-AP
tech-c: CH93-AP
nic-hdl: AC1573-AP
remarks: Generated from irt object IRT-CHINANET-CN
remarks: anti-spam@chinatelecom.cn was validated on 2022-02-14
abuse-mailbox: anti-spam@chinatelecom.cn
mnt-by: APNIC-ABUSE
last-modified: 2022-02-14T07:14:09Z
source: APNIC

person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: anti-spam@chinatelecom.cn
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
mnt-by: MAINT-CHINANET
last-modified: 2022-02-28T06:53:44Z
source: APNIC

person: Jinneng Wang
address: 17/F, Postal Building No.120 Changjiang
address: Middle Road, Hefei, Anhui, China
country: CN
phone: +86-551-2659073
fax-no: +86-551-2659287
e-mail: ahdata@189.cn
nic-hdl: JW89-AP
mnt-by: MAINT-CHINANET-AH
last-modified: 2014-02-21T01:19:43Z
source: APNIC

% This query was served by the APNIC Whois Service version 1.88.15-SNAPSHOT (WHOIS-UK4)

  • Someone is trying to use your mailserver maliciously. Probably trying to use it as a mail relay or guessing passwords to gain access. If you don’t wanna get notified, you should remove your watchdog_notify_email in mailcow.conf.

6 days later

Same here. Mine are looking like this:

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See ripe.net Icon RIPE Database Terms and Conditions | Docs

ripe.net Icon ripe.net
RIPE Database Terms and Conditions | Docs
The Database Docs Center

% Note: this output has been filtered.
% To receive output for a database update, use the “-B” flag.

% Information related to ‘212.70.149.0 - 212.70.149.255’

% Abuse contact for ‘212.70.149.0 - 212.70.149.255’ is ‘abuse@4media.bg

inetnum: 212.70.149.0 - 212.70.149.255
netname: Net_4Media
org: ORG-AA2048-RIPE
country: BG
admin-c: PD8817-RIPE
tech-c: PD8817-RIPE
status: ASSIGNED PA
mnt-by: MNT-LIR-BG
created: 2022-02-23T09:58:04Z
last-modified: 2022-02-23T09:58:04Z
source: RIPE

organisation: ORG-AA2048-RIPE
org-name: 4Media Ltd.
org-type: OTHER
address: 35, Ivan Vazov str, Sopot, Bulgaria
abuse-c: AA33554-RIPE
mnt-ref: TAMATYA-MNT
mnt-ref: MNT-LIR-BG
mnt-by: MNT-LIR-BG
created: 2018-05-31T08:09:29Z
last-modified: 2021-03-11T14:13:48Z
source: RIPE # Filtered

person: Petar Dimov
address: hostmaster@4vendeta.com
phone: +359988865442
nic-hdl: PD8817-RIPE
mnt-by: TAMATYA-MNT
created: 2016-11-06T19:36:43Z
last-modified: 2017-10-30T23:28:52Z
source: RIPE

% Information related to ‘212.70.149.0/24AS202325’

route: 212.70.149.0/24
origin: AS202325
mnt-by: MNT-LIR-BG
created: 2022-02-23T09:58:04Z
last-modified: 2022-02-23T09:58:04Z
source: RIPE

% Information related to ‘212.70.149.0/24AS204428’

route: 212.70.149.0/24
origin: AS204428
mnt-by: MNT-LIR-BG
created: 2022-02-22T14:51:25Z
last-modified: 2022-02-22T14:51:25Z
source: RIPE

% This query was served by the RIPE Database Query Service version 1.102.3 (WAGYU)

Also they are coming like every 45 mintues…

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

  • DD4niel

    • Community Hero
    Moolevel 45
  • Post #3
  • Best Answerset by MAGIC

Someone is trying to use your mailserver maliciously. Probably trying to use it as a mail relay or guessing passwords to gain access. If you don’t wanna get notified, you should remove your watchdog_notify_email in mailcow.conf.

6 days later

So it is kind of safe for me to ignore those? Is there a best practice to block these attack? I am not that annoyed by the message to remove the watchdog_notify but would very much like to block these attacks if possible. Any advice would be great. Thanks much

  • MAGIC

    • Forum Staff
    • volunteer
    Moolevel 48
  • Post #5

When you receive the message then netfilter already blocked them for the time you configured in the webpanel. You can also perm. ban there

I have found it useful to send a warning to the abuse email provided with the report with the offending IP address and description of the offence. Has happened enough times that I wrote a template. Never have I heard back but the attempts have stopped.
In your case it would be “% Abuse contact for ‘212.227.0.0 - 212.227.13.255’ is ‘abuse@oneandone.net’”.

No one is typing