Weird Bounce spam attack

This is the area for a general support questions, discussions and information that you can read and share. Post your experiences, stats and tricks and tips that are not covered elsewhere. Remember, for questions please search the FAQ first, as your question may already be answered.

Moderators: wizard, magicspam

Post Reply
Gator767
Posts: 9
Joined: Mon Apr 20, 2009 5:22 pm

Weird Bounce spam attack

Post by Gator767 » Tue Apr 06, 2010 9:44 am

Hi, i have more than 6 months using magicspam on my server, with no problems, but today, something like bounced emails attack started, i check the logs and i found this:

2010-04-06 11:09:34 magicspam-plesk[17386]: HAM: mua=1,ip=[190.254.211.55:(null)],helo=<190.254.211.55>,from=<ztwabstraction@xxxxxxxxxxxx>,rcpt=<dakota.kid@hotmail.com>

2010-04-06 11:09:34 magicspam-plesk[17388]: HAM: mua=1,ip=[190.254.211.55:(null)],helo=<190.254.211.55>,from=<axidiot@xxxxxxxxxxxxxx>,rcpt=<jasweet09@aol.com>

2010-04-06 11:09:34 magicspam-plesk[17397]: HAM: mua=1,ip=[190.254.211.55:(null)],helo=<190.254.211.55>,from=<aulyricist@xxxxxxxxxxxxxxxxxxx>,rcpt=<yashiscon2003@yahoo.com>

But i dont have that ip: 190.254.211.55 on any exemption list or white list or something, and the headers of the emails are something like:

Example Header:

Received: (qmail 30164 invoked from network); 6 Apr 2010 11:33:45 -0500
Received: from unknown (HELO 190.254.211.55) (190.254.211.55)
by 192.168.200.11 with SMTP; 6 Apr 2010 11:33:45 -0500
Message-ID: <001101cad57d$90e73420$06aaf82c@MATILDE>
From: "Jody Herra" <jgbusy@xxxxxxxxxxxxxxxxx>
To: "Hamdu Nashallah" <gfghj@hoyod.com>
Subject: Can~We-MeetTo_Share-More_Photos_AndGet-Hooked?
Date: Tue, 6 Apr 2010 11:37:41 -0500
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="Windows-1252";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1409

______________________________________________

or this: 187.107.68.240

Apr 6 11:30:55 mail magicspam-plesk[28561]: HAM: mua=0,ip=[187.107.68.240:bb6b44f0.virtua.com.br],helo=<virtua.com.br>,from=<ekyto5916@virtua.com.br>,rcpt=<agon@xxxxxxxxxxxxxxxxxx>


Hi. This is the qmail-send program at mail.xxxxxxxxxxxxxxxxxx.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<agon@xxxxxxxxxxxxxxxxx>:
This address no longer accepts mail.

--- Below this line is a copy of the message.

Return-Path: <ekyto5916@virtua.com.br>
Received: (qmail 28639 invoked from network); 6 Apr 2010 11:30:59 -0500
Received: from bb6b44f0.virtua.com.br (HELO virtua.com.br) (187.107.68.240)
by 192.168.200.11 with SMTP; 6 Apr 2010 11:30:57 -0500
From: "Pfizer's Authorized Store Online" <ekyto5916@virtua.com.br>
To: agon@xxxxxxxxxxxxxxxxxxx
Subject: Sale time, agon, Save 80% right now Uxezu

______________________________________________

Maybe somebody can help me to resolve this :) any help is very appreciated.

regards.

magicspam
Posts: 1563
Joined: Tue Oct 28, 2008 2:27 pm

Re: Weird Bounce spam attack

Post by magicspam » Tue Apr 06, 2010 5:31 pm

Thank you for contacting us.

The first log entries all contain "mua=1", which indicates that either the sender is authenticating, or they are part of a trusted network. That would be the most likely reason they're getting through. You may need to dig through your server logs to see who was authenticating from the given IP at those times.

As for the last one, it's possible that someone is using your server as a relay, or that they're forging the from-address. If they're forging the from-address, there's not really anything you can do. Instances such as those are classic examples of backscatter.
-- MagicSpam Support Team --

Post Reply

Return to “General Discussions and Support Questions”

Who is online

Users browsing this forum: Google [Bot] and 23 guests