Am i under some form of attack

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
for the last two hours, i've been seeing these failed emails every two minues to various none existant email accounts.

Code:
Event: rejected rejected
User: -remote-
Domain:
Sender: [email protected]
Sent Time: Feb 10, 2015 9:46:21 PM
Sender Host: 216-197-229-xxx.sktn.static.domain.sk.ca
Sender IP: 216.197.229.xxx
Authentication: unauthorized
Spam Score:
Recipient: [email protected]
Delivered To:
Delivery User: user
Delivery Domain: domain.co.uk
Router: reject
Transport: **rejected**
Out Time: Feb 10, 2015 9:46:21 PM
ID: 1YLIdi-000Ct2-Dg
Delivery Host: 216-197-229-205.sktn.static.sasknet.sk.ca
Delivery IP: 216.197.229.xxx
Size: 0 bytes
Result: Sender verify failed
 
Last edited by a moderator:

Infopro

Well-Known Member
May 20, 2003
17,090
519
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Event: rejected
That's the most important part of the Event Details. It was rejected.

If this doesn't stop them:
Result: Sender verify failed
Then this should:
Result: No Such User Here
Or this:
Result: JunkMail rejected

If they pass everything else you have in place, and things you have yet to, then this:
Result: Message accepted



Am i under some form of attack
IMHO, no. It's just another day in the life of your Web Server.

For the record, one of my servers is showing over 700 of the same exact emails today alone, from many different IP addresses.
 

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
I'm assuming that it's some form of virus ? as looking at the sending IP's, they appear to be originating from all over the globe.
Worryingly, they are still persisting this morning.
The fact that they are being rejected, at least gives me some relief, however, i'm concerned that it might put un-necessary load on the server.

If i send: "No Such User Here", i'm assuming won't kerb them ,due to where they are coming from?
"No such user here" to one server, isn't going to stop them from the other 1000 servers is it ?
 

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
One of the first things i did last night when i started seeing such a large number was to google it, however, i guess with it being so new, not a great deal was listed on google.
However googling it this morning and there are a lot more results.

This morning, I implemented an exim blacklist tweak, which seems to have killed these off, however, i'm wondering if this thing is morphing, because, no sooner do I block one, a different one is hitting us just as hard.

Edit:

Looking at http://support.clean-mx.de/clean-mx/publog.php?country=us, it looks like AomericanExpress has gone quiet and another one is coming up the ranks.
Blimey, how do you keep up.
 
Last edited:

dibello

Member
Oct 6, 2013
22
0
51
cPanel Access Level
Root Administrator
OK. enough is enough! 14 hour attack from amoricanexpress. now a consistant attack from voice.com.

all separate ip's

I have them blocked by domain, sender verify etc... but I'm starting to get a bad attitude.

How exactly is this being accomplished?
 

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
I encountered about 6 different ones today, no sooner did i block one, another one started hitting me.
adppi.com was another.

It would appear that it's zombies.
Possibly Infected end user PC's around the globe, all being triggered to start spamming.
This is why blocking is fruitless.

Do you have "Sender Verification Callouts" enabled by any chance ?
Today, I sent a single spoofed test email to my server from home.
My server had at least 8 hits already, so I'm assuming my server doesn't reply back, hence the private mail server is retrying.
Maybe this could partly explain the 1200 or so failures i received with AmoricanExpress.
I've temporarily disabled this, this evening.


I followed your links and installed the exim_blacklist.
I assume this is working.

Today, I've started watching http://support.clean-mx.de/clean-mx/publog.php?country=us and added a few suspect zombies to that list before they have a chance to hit me again.
 
Last edited:

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
Sorry InfoPro.
Yes I agree that i'm blocking, but i can already see that my mail server suffered last night. (probably the extra workload)
The boss had a number of timeouts trying to send emails.
What I really meant was blocking the 1200 rejects.
 

Infopro

Well-Known Member
May 20, 2003
17,090
519
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
I'm no mail server expert, just ask anyone, but, there shouldn't have been any noticeable load from rejects. Seeing them in the logs is a load on my mind though, you bet. What's next, you know?

It's what you don't see in those logs that you have to worry about more than anything else.
 

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
Until i get bored, i've now taken to watching Clean MX and adding the latest Zombie to my blacklist.
Another admin task, i could do without, but it's new and still a little exciting.