Exim Receiving High Volume of Failed Sender Verification

[gix0970]

I found thousands of this error in the Exim_Mainlog.
It's a single server, single domain, 200 plus email accounts and we can receive more than 6000 events each day, based on Mail Delivery Report. Only 5% of them translate into emails (including spam emails), the rests are dropped during SMTP connection.
I found that most IP addresses are from Russia so I blocked them together with some more IP addresses from various countries.
I picked those with high volume. Quite easy, the range of IP addresses are not so big, even if they are, its still within the range so I could use CIDR to block them. With additional domain tld block like .top, .cc, etc., the number dropped to around 2000 each day. Total IPs being blocked are still below 100.
Now left with those IP that are coming from China - our user based. They come in various IP addresses and it amazed me that, today, I gathered 1,600 events with more than 1,200 unique IP addresses in just 6 days (I only filtered those with Sender verify failed). I find it's not practical to block them one by one.

If you look at this log, both senders and recipients don't exist

[23781] H=(kaztq.net) [180.76.104.203]:58503 I=[162.214.65.116]:25 F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
[29970] H=(iavll.com) [140.237.30.58]:58337 I=[162.214.65.116]:25 F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
[30034] H=(lrtpj.com) [117.26.231.67]:59488 I=[162.214.65.116]:25 F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
[17394] H=(teeultntq.net) [106.12.166.165]:61037 I=[162.214.65.116]:25 F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed: Sender verify

What is this? and who ever did this, what could be the reason?
Is this normal for a domain to receive this kind of volume?
Are those IPs spoofed?

Many thanks for reading and let me know your thoughts.

 

[HostNoc]

Hi
Are you receiving email from Single domain or multiple domain? Have you set DMARC and DKIM record for your doamin?

Regards
SAM
HOstNoc

 

[gix0970]

It involves many non-existent domains, probably more than a thousand. The recipients are non-existent email addresses in our domain. I set up DKIM but not DMARC, but how are they going to help in this?

 

[gix0970]

This is the top 50 Rejected IPs, taken 26 Jun from 12 am to 10am. You can see how widely distributed they are. I know they didn't pass through but still...

Messages​	Rejected ip​
3​	[121.226.82.102]​
3​	[180.105.236.193]​
3​	[223.242.9.169]​
2​	[111.72.146.74]​
2​	[113.100.142.179]​
2​	[113.76.135.68]​
2​	[113.99.127.138]​
2​	[114.103.76.123]​
2​	[114.104.102.54]​
2​	[114.104.18.96]​
2​	[114.220.142.166]​
2​	[114.224.191.142]​
2​	[114.230.125.93]​
2​	[114.230.126.89]​
2​	[114.231.182.202]​
2​	[114.231.4.214]​
2​	[114.233.122.145]​
2​	[114.233.219.3]​
2​	[114.236.254.237]​
2​	[114.237.19.130]​
2​	[114.97.78.56]​
2​	[114.99.108.187]​
2​	[114.99.8.45]​
2​	[115.151.56.59]​
2​	[115.208.38.138]​
2​	[115.208.71.112]​
2​	[115.209.75.58]​
2​	[115.213.239.247]​
2​	[115.226.146.1]​
2​	[117.27.116.54]​
2​	[117.69.31.46]​
2​	[117.69.46.55]​
2​	[117.70.41.191]​
2​	[117.80.205.43]​
2​	[117.83.168.198]​
2​	[117.83.168.240]​
2​	[117.84.57.2]​
2​	[117.86.191.14]​
2​	[117.89.172.190]​
2​	[117.92.148.46]​
2​	[117.93.94.136]​
2​	[117.94.158.104]​
2​	[117.94.182.35]​
2​	[117.95.201.61]​
2​	[119.112.204.225]​
2​	[119.112.81.238]​
2​	[119.114.110.33]​
2​	[120.229.137.72]​
2​	[121.226.37.160]​
2​	[121.226.45.247]​

 

[cPanelWilliam]

Hello! Based on the issue you described, it appears that your server could be the target of a backscatter attack. Although it may be impossible to fully prevent this, we have an article detailing some steps you can take to mitigate this below:

Spam emails coming from the server notice Sender verify failed messages in the queue