Hi, i have more than 6 months using magicspam on my server, with no problems, but today, something like bounced emails attack started, i check the logs and i found this:
2010-04-06 11:09:34 magicspam-plesk[17386]: HAM: mua=1,ip=[190.254.211.55:(null)],helo=<190.254.211.55>,from=<ztwabstraction@xxxxxxxxxxxx>,rcpt=<dakota.kid@hotmail.com>
2010-04-06 11:09:34 magicspam-plesk[17388]: HAM: mua=1,ip=[190.254.211.55:(null)],helo=<190.254.211.55>,from=<axidiot@xxxxxxxxxxxxxx>,rcpt=<jasweet09@aol.com>
2010-04-06 11:09:34 magicspam-plesk[17397]: HAM: mua=1,ip=[190.254.211.55:(null)],helo=<190.254.211.55>,from=<aulyricist@xxxxxxxxxxxxxxxxxxx>,rcpt=<yashiscon2003@yahoo.com>
But i dont have that ip: 190.254.211.55 on any exemption list or white list or something, and the headers of the emails are something like:
Example Header:
Received: (qmail 30164 invoked from network); 6 Apr 2010 11:33:45 -0500
Received: from unknown (HELO 190.254.211.55) (190.254.211.55)
by 192.168.200.11 with SMTP; 6 Apr 2010 11:33:45 -0500
Message-ID: <001101cad57d$90e73420$06aaf82c@MATILDE>
From: "Jody Herra" <jgbusy@xxxxxxxxxxxxxxxxx>
To: "Hamdu Nashallah" <gfghj@hoyod.com>
Subject: Can~We-MeetTo_Share-More_Photos_AndGet-Hooked?
Date: Tue, 6 Apr 2010 11:37:41 -0500
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="Windows-1252";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1409
______________________________________________
or this: 187.107.68.240
Apr 6 11:30:55 mail magicspam-plesk[28561]: HAM: mua=0,ip=[187.107.68.240:bb6b44f0.virtua.com.br],helo=<virtua.com.br>,from=<ekyto5916@virtua.com.br>,rcpt=<agon@xxxxxxxxxxxxxxxxxx>
Hi. This is the qmail-send program at mail.xxxxxxxxxxxxxxxxxx.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<agon@xxxxxxxxxxxxxxxxx>:
This address no longer accepts mail.
--- Below this line is a copy of the message.
Return-Path: <ekyto5916@virtua.com.br>
Received: (qmail 28639 invoked from network); 6 Apr 2010 11:30:59 -0500
Received: from bb6b44f0.virtua.com.br (HELO virtua.com.br) (187.107.68.240)
by 192.168.200.11 with SMTP; 6 Apr 2010 11:30:57 -0500
From: "Pfizer's Authorized Store Online" <ekyto5916@virtua.com.br>
To: agon@xxxxxxxxxxxxxxxxxxx
Subject: Sale time, agon, Save 80% right now Uxezu
______________________________________________
Maybe somebody can help me to resolve this any help is very appreciated.
regards.
Weird Bounce spam attack
Re: Weird Bounce spam attack
Thank you for contacting us.
The first log entries all contain "mua=1", which indicates that either the sender is authenticating, or they are part of a trusted network. That would be the most likely reason they're getting through. You may need to dig through your server logs to see who was authenticating from the given IP at those times.
As for the last one, it's possible that someone is using your server as a relay, or that they're forging the from-address. If they're forging the from-address, there's not really anything you can do. Instances such as those are classic examples of backscatter.
The first log entries all contain "mua=1", which indicates that either the sender is authenticating, or they are part of a trusted network. That would be the most likely reason they're getting through. You may need to dig through your server logs to see who was authenticating from the given IP at those times.
As for the last one, it's possible that someone is using your server as a relay, or that they're forging the from-address. If they're forging the from-address, there's not really anything you can do. Instances such as those are classic examples of backscatter.
-- MagicSpam Support Team --
Who is online
Users browsing this forum: Google [Bot] and 23 guests