Weird Bounce spam attack
Posted: Tue Apr 06, 2010 9:44 am
Hi, i have more than 6 months using magicspam on my server, with no problems, but today, something like bounced emails attack started, i check the logs and i found this:
2010-04-06 11:09:34 magicspam-plesk[17386]: HAM: mua=1,ip=[190.254.211.55:(null)],helo=<190.254.211.55>,from=<ztwabstraction@xxxxxxxxxxxx>,rcpt=<dakota.kid@hotmail.com>
2010-04-06 11:09:34 magicspam-plesk[17388]: HAM: mua=1,ip=[190.254.211.55:(null)],helo=<190.254.211.55>,from=<axidiot@xxxxxxxxxxxxxx>,rcpt=<jasweet09@aol.com>
2010-04-06 11:09:34 magicspam-plesk[17397]: HAM: mua=1,ip=[190.254.211.55:(null)],helo=<190.254.211.55>,from=<aulyricist@xxxxxxxxxxxxxxxxxxx>,rcpt=<yashiscon2003@yahoo.com>
But i dont have that ip: 190.254.211.55 on any exemption list or white list or something, and the headers of the emails are something like:
Example Header:
Received: (qmail 30164 invoked from network); 6 Apr 2010 11:33:45 -0500
Received: from unknown (HELO 190.254.211.55) (190.254.211.55)
by 192.168.200.11 with SMTP; 6 Apr 2010 11:33:45 -0500
Message-ID: <001101cad57d$90e73420$06aaf82c@MATILDE>
From: "Jody Herra" <jgbusy@xxxxxxxxxxxxxxxxx>
To: "Hamdu Nashallah" <gfghj@hoyod.com>
Subject: Can~We-MeetTo_Share-More_Photos_AndGet-Hooked?
Date: Tue, 6 Apr 2010 11:37:41 -0500
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="Windows-1252";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1409
______________________________________________
or this: 187.107.68.240
Apr 6 11:30:55 mail magicspam-plesk[28561]: HAM: mua=0,ip=[187.107.68.240:bb6b44f0.virtua.com.br],helo=<virtua.com.br>,from=<ekyto5916@virtua.com.br>,rcpt=<agon@xxxxxxxxxxxxxxxxxx>
Hi. This is the qmail-send program at mail.xxxxxxxxxxxxxxxxxx.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<agon@xxxxxxxxxxxxxxxxx>:
This address no longer accepts mail.
--- Below this line is a copy of the message.
Return-Path: <ekyto5916@virtua.com.br>
Received: (qmail 28639 invoked from network); 6 Apr 2010 11:30:59 -0500
Received: from bb6b44f0.virtua.com.br (HELO virtua.com.br) (187.107.68.240)
by 192.168.200.11 with SMTP; 6 Apr 2010 11:30:57 -0500
From: "Pfizer's Authorized Store Online" <ekyto5916@virtua.com.br>
To: agon@xxxxxxxxxxxxxxxxxxx
Subject: Sale time, agon, Save 80% right now Uxezu
______________________________________________
Maybe somebody can help me to resolve this
any help is very appreciated.
regards.
2010-04-06 11:09:34 magicspam-plesk[17386]: HAM: mua=1,ip=[190.254.211.55:(null)],helo=<190.254.211.55>,from=<ztwabstraction@xxxxxxxxxxxx>,rcpt=<dakota.kid@hotmail.com>
2010-04-06 11:09:34 magicspam-plesk[17388]: HAM: mua=1,ip=[190.254.211.55:(null)],helo=<190.254.211.55>,from=<axidiot@xxxxxxxxxxxxxx>,rcpt=<jasweet09@aol.com>
2010-04-06 11:09:34 magicspam-plesk[17397]: HAM: mua=1,ip=[190.254.211.55:(null)],helo=<190.254.211.55>,from=<aulyricist@xxxxxxxxxxxxxxxxxxx>,rcpt=<yashiscon2003@yahoo.com>
But i dont have that ip: 190.254.211.55 on any exemption list or white list or something, and the headers of the emails are something like:
Example Header:
Received: (qmail 30164 invoked from network); 6 Apr 2010 11:33:45 -0500
Received: from unknown (HELO 190.254.211.55) (190.254.211.55)
by 192.168.200.11 with SMTP; 6 Apr 2010 11:33:45 -0500
Message-ID: <001101cad57d$90e73420$06aaf82c@MATILDE>
From: "Jody Herra" <jgbusy@xxxxxxxxxxxxxxxxx>
To: "Hamdu Nashallah" <gfghj@hoyod.com>
Subject: Can~We-MeetTo_Share-More_Photos_AndGet-Hooked?
Date: Tue, 6 Apr 2010 11:37:41 -0500
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="Windows-1252";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1409
______________________________________________
or this: 187.107.68.240
Apr 6 11:30:55 mail magicspam-plesk[28561]: HAM: mua=0,ip=[187.107.68.240:bb6b44f0.virtua.com.br],helo=<virtua.com.br>,from=<ekyto5916@virtua.com.br>,rcpt=<agon@xxxxxxxxxxxxxxxxxx>
Hi. This is the qmail-send program at mail.xxxxxxxxxxxxxxxxxx.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<agon@xxxxxxxxxxxxxxxxx>:
This address no longer accepts mail.
--- Below this line is a copy of the message.
Return-Path: <ekyto5916@virtua.com.br>
Received: (qmail 28639 invoked from network); 6 Apr 2010 11:30:59 -0500
Received: from bb6b44f0.virtua.com.br (HELO virtua.com.br) (187.107.68.240)
by 192.168.200.11 with SMTP; 6 Apr 2010 11:30:57 -0500
From: "Pfizer's Authorized Store Online" <ekyto5916@virtua.com.br>
To: agon@xxxxxxxxxxxxxxxxxxx
Subject: Sale time, agon, Save 80% right now Uxezu
______________________________________________
Maybe somebody can help me to resolve this
any help is very appreciated.regards.