The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Am i under some form of attack

Discussion in 'E-mail Discussions' started by keat63, Feb 10, 2015.

  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    for the last two hours, i've been seeing these failed emails every two minues to various none existant email accounts.

    Code:
    Event: rejected rejected
    User: -remote-
    Domain:
    Sender: fxC4480@spamdomain.com
    Sent Time: Feb 10, 2015 9:46:21 PM
    Sender Host: 216-197-229-xxx.sktn.static.domain.sk.ca
    Sender IP: 216.197.229.xxx
    Authentication: unauthorized
    Spam Score:
    Recipient: sales@xxx.co..uk
    Delivered To:
    Delivery User: user
    Delivery Domain: domain.co.uk
    Router: reject
    Transport: **rejected**
    Out Time: Feb 10, 2015 9:46:21 PM
    ID: 1YLIdi-000Ct2-Dg
    Delivery Host: 216-197-229-205.sktn.static.sasknet.sk.ca
    Delivery IP: 216.197.229.xxx
    Size: 0 bytes
    Result: Sender verify failed
     
    #1 keat63, Feb 10, 2015
    Last edited by a moderator: Feb 10, 2015
  2. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I've had hundreds of them and they still keep coming
     
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,468
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    That's the most important part of the Event Details. It was rejected.

    If this doesn't stop them:
    Result: Sender verify failed
    Then this should:
    Result: No Such User Here
    Or this:
    Result: JunkMail rejected

    If they pass everything else you have in place, and things you have yet to, then this:
    Result: Message accepted



    IMHO, no. It's just another day in the life of your Web Server.

    For the record, one of my servers is showing over 700 of the same exact emails today alone, from many different IP addresses.
     
  4. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I'm assuming that it's some form of virus ? as looking at the sending IP's, they appear to be originating from all over the globe.
    Worryingly, they are still persisting this morning.
    The fact that they are being rejected, at least gives me some relief, however, i'm concerned that it might put un-necessary load on the server.

    If i send: "No Such User Here", i'm assuming won't kerb them ,due to where they are coming from?
    "No such user here" to one server, isn't going to stop them from the other 1000 servers is it ?
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,468
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Zombies, everywhere.
    /http://support.clean-mx.de/clean-mx/publog.php?country=us
    /http://community.spiceworks.com/topic/785806-phishing-from-amoricanexpress-com
     
  6. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    One of the first things i did last night when i started seeing such a large number was to google it, however, i guess with it being so new, not a great deal was listed on google.
    However googling it this morning and there are a lot more results.

    This morning, I implemented an exim blacklist tweak, which seems to have killed these off, however, i'm wondering if this thing is morphing, because, no sooner do I block one, a different one is hitting us just as hard.

    Edit:

    Looking at http://support.clean-mx.de/clean-mx/publog.php?country=us, it looks like AomericanExpress has gone quiet and another one is coming up the ranks.
    Blimey, how do you keep up.
     
    #6 keat63, Feb 11, 2015
    Last edited: Feb 11, 2015
  7. dibello

    dibello Member

    Joined:
    Oct 6, 2013
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    OK. enough is enough! 14 hour attack from amoricanexpress. now a consistant attack from voice.com.

    all separate ip's

    I have them blocked by domain, sender verify etc... but I'm starting to get a bad attitude.

    How exactly is this being accomplished?
     
  8. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I encountered about 6 different ones today, no sooner did i block one, another one started hitting me.
    adppi.com was another.

    It would appear that it's zombies.
    Possibly Infected end user PC's around the globe, all being triggered to start spamming.
    This is why blocking is fruitless.

    Do you have "Sender Verification Callouts" enabled by any chance ?
    Today, I sent a single spoofed test email to my server from home.
    My server had at least 8 hits already, so I'm assuming my server doesn't reply back, hence the private mail server is retrying.
    Maybe this could partly explain the 1200 or so failures i received with AmoricanExpress.
    I've temporarily disabled this, this evening.


    I followed your links and installed the exim_blacklist.
    I assume this is working.

    Today, I've started watching http://support.clean-mx.de/clean-mx/publog.php?country=us and added a few suspect zombies to that list before they have a chance to hit me again.
     
    #8 keat63, Feb 11, 2015
    Last edited: Feb 11, 2015
  9. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,468
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You already were.
    Monitoring logs is a very, very good practice to be in. You learn a lot by watching logs closely enough to see trends. Not all issues in those logs requires action though.
     
  10. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Sorry InfoPro.
    Yes I agree that i'm blocking, but i can already see that my mail server suffered last night. (probably the extra workload)
    The boss had a number of timeouts trying to send emails.
    What I really meant was blocking the 1200 rejects.
     
  11. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,468
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm no mail server expert, just ask anyone, but, there shouldn't have been any noticeable load from rejects. Seeing them in the logs is a load on my mind though, you bet. What's next, you know?

    It's what you don't see in those logs that you have to worry about more than anything else.
     
  12. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Until i get bored, i've now taken to watching Clean MX and adding the latest Zombie to my blacklist.
    Another admin task, i could do without, but it's new and still a little exciting.
     
Loading...

Share This Page