Exim Receiving High Volume of Failed Sender Verification

Operating System & Version
CENTOS 7.9
cPanel & WHM Version
v94.0.13

gix0970

Active Member
Sep 30, 2019
37
6
8
Singapore
cPanel Access Level
Root Administrator
I found thousands of this error in the Exim_Mainlog.
It's a single server, single domain, 200 plus email accounts and we can receive more than 6000 events each day, based on Mail Delivery Report. Only 5% of them translate into emails (including spam emails), the rests are dropped during SMTP connection.
I found that most IP addresses are from Russia so I blocked them together with some more IP addresses from various countries.
I picked those with high volume. Quite easy, the range of IP addresses are not so big, even if they are, its still within the range so I could use CIDR to block them. With additional domain tld block like .top, .cc, etc., the number dropped to around 2000 each day. Total IPs being blocked are still below 100.
Now left with those IP that are coming from China - our user based. They come in various IP addresses and it amazed me that, today, I gathered 1,600 events with more than 1,200 unique IP addresses in just 6 days (I only filtered those with Sender verify failed). I find it's not practical to block them one by one.

If you look at this log, both senders and recipients don't exist
[23781] H=(kaztq.net) [180.76.104.203]:58503 I=[162.214.65.116]:25 F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
[29970] H=(iavll.com) [140.237.30.58]:58337 I=[162.214.65.116]:25 F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
[30034] H=(lrtpj.com) [117.26.231.67]:59488 I=[162.214.65.116]:25 F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
[17394] H=(teeultntq.net) [106.12.166.165]:61037 I=[162.214.65.116]:25 F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed: Sender verify
Screenshot 2022-06-25 122325.jpg
What is this? and who ever did this, what could be the reason?
Is this normal for a domain to receive this kind of volume?
Are those IPs spoofed?

Many thanks for reading and let me know your thoughts.
 

gix0970

Active Member
Sep 30, 2019
37
6
8
Singapore
cPanel Access Level
Root Administrator
It involves many non-existent domains, probably more than a thousand. The recipients are non-existent email addresses in our domain. I set up DKIM but not DMARC, but how are they going to help in this?
 

gix0970

Active Member
Sep 30, 2019
37
6
8
Singapore
cPanel Access Level
Root Administrator
This is the top 50 Rejected IPs, taken 26 Jun from 12 am to 10am. You can see how widely distributed they are. I know they didn't pass through but still...
Messages​
Rejected ip​
3​
[121.226.82.102]​
3​
[180.105.236.193]​
3​
[223.242.9.169]​
2​
[111.72.146.74]​
2​
[113.100.142.179]​
2​
[113.76.135.68]​
2​
[113.99.127.138]​
2​
[114.103.76.123]​
2​
[114.104.102.54]​
2​
[114.104.18.96]​
2​
[114.220.142.166]​
2​
[114.224.191.142]​
2​
[114.230.125.93]​
2​
[114.230.126.89]​
2​
[114.231.182.202]​
2​
[114.231.4.214]​
2​
[114.233.122.145]​
2​
[114.233.219.3]​
2​
[114.236.254.237]​
2​
[114.237.19.130]​
2​
[114.97.78.56]​
2​
[114.99.108.187]​
2​
[114.99.8.45]​
2​
[115.151.56.59]​
2​
[115.208.38.138]​
2​
[115.208.71.112]​
2​
[115.209.75.58]​
2​
[115.213.239.247]​
2​
[115.226.146.1]​
2​
[117.27.116.54]​
2​
[117.69.31.46]​
2​
[117.69.46.55]​
2​
[117.70.41.191]​
2​
[117.80.205.43]​
2​
[117.83.168.198]​
2​
[117.83.168.240]​
2​
[117.84.57.2]​
2​
[117.86.191.14]​
2​
[117.89.172.190]​
2​
[117.92.148.46]​
2​
[117.93.94.136]​
2​
[117.94.158.104]​
2​
[117.94.182.35]​
2​
[117.95.201.61]​
2​
[119.112.204.225]​
2​
[119.112.81.238]​
2​
[119.114.110.33]​
2​
[120.229.137.72]​
2​
[121.226.37.160]​
2​
[121.226.45.247]​
 

cPanelWilliam

Administrator
Staff member
Mar 13, 2018
101
16
93
Houston
cPanel Access Level
Root Administrator