Am i under some form of attack

[keat63]

for the last two hours, i've been seeing these failed emails every two minues to various none existant email accounts.

Event: rejected rejected
User: -remote-
Domain:
Sender: [email protected]
Sent Time: Feb 10, 2015 9:46:21 PM
Sender Host: 216-197-229-xxx.sktn.static.domain.sk.ca
Sender IP: 216.197.229.xxx
Authentication: unauthorized
Spam Score:
Recipient: [email protected]
Delivered To:
Delivery User: user
Delivery Domain: domain.co.uk
Router: reject
Transport: **rejected**
Out Time: Feb 10, 2015 9:46:21 PM
ID: 1YLIdi-000Ct2-Dg
Delivery Host: 216-197-229-205.sktn.static.sasknet.sk.ca
Delivery IP: 216.197.229.xxx
Size: 0 bytes

Result: Sender verify failed

 

[keat63]

I've had hundreds of them and they still keep coming

 

[Infopro]

Event: rejected

That's the most important part of the Event Details. It was rejected.

If this doesn't stop them:
Result: Sender verify failed
Then this should:
Result: No Such User Here
Or this:
Result: JunkMail rejected

If they pass everything else you have in place, and things you have yet to, then this:
Result: Message accepted

Am i under some form of attack

IMHO, no. It's just another day in the life of your Web Server.

For the record, one of my servers is showing over 700 of the same exact emails today alone, from many different IP addresses.

 

[keat63]

I'm assuming that it's some form of virus ? as looking at the sending IP's, they appear to be originating from all over the globe.
Worryingly, they are still persisting this morning.
The fact that they are being rejected, at least gives me some relief, however, i'm concerned that it might put un-necessary load on the server.

If i send: "No Such User Here", i'm assuming won't kerb them ,due to where they are coming from?
"No such user here" to one server, isn't going to stop them from the other 1000 servers is it ?

 

[Infopro]

Zombies, everywhere.
/http://support.clean-mx.de/clean-mx/publog.php?country=us
/http://community.spiceworks.com/topic/785806-phishing-from-amoricanexpress-com

 

[keat63]

One of the first things i did last night when i started seeing such a large number was to google it, however, i guess with it being so new, not a great deal was listed on google.
However googling it this morning and there are a lot more results.

This morning, I implemented an exim blacklist tweak, which seems to have killed these off, however, i'm wondering if this thing is morphing, because, no sooner do I block one, a different one is hitting us just as hard.

Edit:

Looking at http://support.clean-mx.de/clean-mx/publog.php?country=us, it looks like AomericanExpress has gone quiet and another one is coming up the ranks.
Blimey, how do you keep up.

 

[dibello]

OK. enough is enough! 14 hour attack from amoricanexpress. now a consistant attack from voice.com.

all separate ip's

I have them blocked by domain, sender verify etc... but I'm starting to get a bad attitude.

How exactly is this being accomplished?

 

[keat63]

I encountered about 6 different ones today, no sooner did i block one, another one started hitting me.
adppi.com was another.

It would appear that it's zombies.
Possibly Infected end user PC's around the globe, all being triggered to start spamming.
This is why blocking is fruitless.

Do you have "Sender Verification Callouts" enabled by any chance ?
Today, I sent a single spoofed test email to my server from home.
My server had at least 8 hits already, so I'm assuming my server doesn't reply back, hence the private mail server is retrying.
Maybe this could partly explain the 1200 or so failures i received with AmoricanExpress.
I've temporarily disabled this, this evening.


I followed your links and installed the exim_blacklist.
I assume this is working.

Today, I've started watching http://support.clean-mx.de/clean-mx/publog.php?country=us and added a few suspect zombies to that list before they have a chance to hit me again.

 

[Infopro]

This is why blocking is fruitless.

You already were.

Event: rejected rejected

Monitoring logs is a very, very good practice to be in. You learn a lot by watching logs closely enough to see trends. Not all issues in those logs requires action though.

 

[keat63]

Sorry InfoPro.
Yes I agree that i'm blocking, but i can already see that my mail server suffered last night. (probably the extra workload)
The boss had a number of timeouts trying to send emails.
What I really meant was blocking the 1200 rejects.

 

[Infopro]

I'm no mail server expert, just ask anyone, but, there shouldn't have been any noticeable load from rejects. Seeing them in the logs is a load on my mind though, you bet. What's next, you know?

It's what you don't see in those logs that you have to worry about more than anything else.

 

[keat63]

Until i get bored, i've now taken to watching Clean MX and adding the latest Zombie to my blacklist.
Another admin task, i could do without, but it's new and still a little exciting.