Blocking Spammer

[Monto]

In my Mail Delivery Reports I have an email address (From address) that has nothing to do with any account on my VPS sending 3 to 6 emails a day to the same hotmail address. The Result shows 'Rejected relay attempt:' with the ip. Ips are various but all on the same subnet, only the last quad is different.

In the 'Filter Incoming Emails by Domain' I have listed the spamming domain as *.spamdomain.com but they still keep coming.

Firstly, does 'Rejected relay attempt' mean my server blocked it, or has it got to hotmail and they rejected it?

Second, is there another way to stop the spamming domain from contacting my server?

Any advice appreciated!

 

[keat63]

Whilst we wait for a tech to come along, could you provide the output from one of those messages /var/log/exim_mainlog .

exigrep message_id_here /var/log/exim_mainlog

If you have CSF firewall installed you could add the following to the IP deny list. (using the correct IP of course)

123.456.789.0/24 # do not delete - relay spammer

 

[Monto]

Thanks, however there are multiple ips.

When I put the command in with either of the last 2 messages, I get a nil return.

 

[keat63]

123.456.789.0/24 would block everything coming from 123.456.789.###

However, it would be good to learn what's causing these.
Has the log rotated maybe ?

 

[Monto]

Yes, I would like to know, and ideally be able to block it without blocking any legit ips.

Thanks for your input, it might get down to doing as you suggest.

 

[keat63]

I have a few of these types of rules.
I work on the basis that there are potentially 4 billion IP4 addresses, so blocking just 256 of them is a drop in the ocean.

If you are really concerned about dropping all 255, maybe consider researching which country they originate.
If you've absolutely no dealings with Timbuktoo, then don't be afraid the block them.

I apply these types of rules, then i'll remove them again in a few months time.
They've usually gone by then.

 

[Monto]

They are from Miami, FL.

But I think you are right.

 

[keat63]

jump on one when you next see it, see if you can grab the info with exigrep

 

[Monto]

Although I get no output from the command you gave, I searched the exim mainlog file via cfs, and got the following, which doesn't shed much light?

redacted

 

[Monto]

I am still keen to find out anything more I can, but I have done as you suggested and done the 0/24 block.

Will see how that goes, thanks.

 

[keat63]

if any of this info is unique to you, ie email address or IP address, it would be wise to obfuscate some of it.
Do you have SPF and DKIM set up on your domain

 

[Monto]

None of it was, that is much the point. Not my email or domains, in or out and not my ip.

But I have removed it to protect the guilty

 

[cPanelLauren]

I'd need to see the exigrep output to give you any more information, @keat63 was right to suggest it.

 

[Monto]

Hi Lauren, is this what you are after?

2020-09-21 17:56:38 H=(136833808.vectronicsappleworlds.com) [89.33.192.58]:48497 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F=<[email protected]> rejected RCPT <[email protected]>: Rejected relay attempt: '89.33.192.58' From: '[email protected]' To: '[email protected]'