Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15

Thread: Attack from MAILER-DEAMON secureserver.net

  1. #11
    Join Date
    Nov 2009
    Location
    Markham, Ontario Canada
    Posts
    35
    Rep Power
    6

    Default

    Ive changed server info.. The bounce backs are always the same with some other domains unknown info@ address at the bottem.. and with spam attached,, Thanks for your help...


    Received: from mail.mymailserver.ca (LHLO mail.mymailserver.ca)
    (10.10.10.10) by mail.mymailserver.ca with LMTP; Mon, 9 May 2011
    09:33:34 -0400 (EDT)
    Received: from localhost (localhost.localdomain [127.0.0.1])
    by mail.mymailserver.ca (Postfix) with ESMTP id 5025A9F000D;
    Mon, 9 May 2011 09:33:34 -0400 (EDT)
    X-Virus-Scanned: amavisd-new at mail.mymailserver.ca
    X-Spam-Flag: NO
    X-Spam-Score: -1.476
    X-Spam-Level:
    X-Spam-Status: No, score=-1.476 tagged_above=-10 required=5
    tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_GREY=0.424]
    autolearn=no
    Received: from mail.mymailserver.ca ([127.0.0.1])
    by localhost (mail.mymailserver.ca [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id mUzyhxaeF2JI; Mon, 9 May 2011 09:33:30 -0400 (EDT)
    Received: from smtpauth02.prod.mesa1.secureserver.net (smtpauth02.prod.mesa1.secureserver.net [64.202.165.182])
    by mail.mymailserver.ca (Postfix) with SMTP id 63B309F000B
    for <info@mysecondarydomain.com>; Mon, 9 May 2011 09:33:30 -0400 (EDT)
    Received: (qmail 13666 invoked for bounce); 9 May 2011 13:33:29 -0000
    Date: 9 May 2011 13:33:29 -0000
    From: MAILER-DAEMON@smtpauth02.prod.mesa1.secureserver.net
    To: info@mysecondarydomain.com
    Subject: failure notice
    Message-Id: <20110509133330.63B309F000B@mail.mymailserver.ca >

    Hi. This is the qmail-send program at smtpauth02.prod.mesa1.secureserver.net.
    I'm afraid I wasn't able to deliver your message to the following addresses.
    This is a permanent error; I've given up. Sorry it didn't work out.

    <gop3588@comcast.net>:
    76.96.62.116 does not like recipient.
    Remote host said: 550 5.1.1 <gop3588@comcast.net> Account not available
    Giving up on 76.96.62.116.

    --- Below this line is a copy of the message.

    Return-Path: <info@mysecondarydomain.com>
    Received: (qmail 13615 invoked from network); 9 May 2011 13:33:29 -0000
    Received: from unknown (118.160.153.225)
    by smtpauth02.prod.mesa1.secureserver.net (64.202.165.182) with ESMTP; 09 May 2011 13:33:28 -0000
    From: "Kevin" <info@grijzemassa.be>
    To: "gop3588" <gop3588@comcast.net>
    Subject: ** Grab 16000 woodworking plans inside...
    Date: Mon, 9 May 2011 21:33:18 +0000
    Organization: Kevin
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0000_01C6527E.AE8904D0"

    This is a multi-part message in MIME format.

    ------=_NextPart_000_0000_01C6527E.AE8904D0
    Content-Type: text/plain;
    charset="utf-8"
    Content-Transfer-Encoding: 8bit

    ------------------------------------------
    Woodworking friends will appreciate you
    when you send this good news to them.
    Mike
    VCP3 & VCP4

  2. #12
    Join Date
    Nov 2009
    Location
    Markham, Ontario Canada
    Posts
    35
    Rep Power
    6

    Default

    Im still getting 100+ of these aday.. There must be away I can stop these.. I guess I will have to resort to putting secureserver.net in hosts deny file? maybe that would work? There muct be away I can completly block this type of attack completly... Was the header information helpfull?

  3. #13
    Join Date
    Nov 2009
    Location
    Markham, Ontario Canada
    Posts
    35
    Rep Power
    6

    Default Anyone? How can I stop this backscatter Attack

    Anyone???Surely I cant be the only one experiencing this type of attack?


    How can i be sure that the change I made was done correctly... In another location I can see

    /opt/zimbra/postfix/conf/header_checks

    file that is blank should this be the right location to put in these type checks?

  4. #14
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by Mike From Markham View Post
    Anyone???Surely I cant be the only one experiencing this type of attack?
    Have you tried some of the solutions mentioned in the forums or even the Postfix page on the subject: Postfix Backscatter Howto
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #15
    Join Date
    Nov 2009
    Location
    Markham, Ontario Canada
    Posts
    35
    Rep Power
    6

    Default

    Hi Phoenix,

    I have but i got some weird error about pcre not supported so I thought this did not nessesarily apply.. I was following the section but I guess I need to somehow use regexp tables instead..

    /etc/postfix/main.cf:
    header_checks = pcre:/etc/postfix/header_checks
    body_checks = pcre:/etc/postfix/body_checks

    /etc/postfix/header_checks:
    /^(From|Return-Path):.*\b(user@domain\.tld)\b/
    reject forged sender address in $1: header: $2

    /etc/postfix/body_checks:
    /^[> ]*(From|Return-Path):.*\b(user@domain\.tld)\b/
    reject forged sender address in $1: header: $2


    I just cant beleive there is not a quick way to block from<> secureserver.net completely as this is the only backscatter I am getting (every 10 min now) from them.... GRrrrrrrrrr
    Last edited by Mike From Markham; 05-14-2011 at 09:13 AM.

Similar Threads

  1. DOS Attack from my local ip? Some BUG?
    By RDMT in forum Administrators
    Replies: 2
    Last Post: 01-03-2011, 11:27 AM
  2. Internal Mail Attack
    By Bufonx in forum Administrators
    Replies: 5
    Last Post: 11-13-2010, 09:12 AM
  3. [SOLVED] help please zmamavisdctl is not running
    By cornbread in forum Administrators
    Replies: 4
    Last Post: 11-21-2007, 12:13 PM
  4. [SOLVED] Unable to receive email 4.5.6:
    By cornbread in forum Installation
    Replies: 8
    Last Post: 09-29-2007, 12:51 PM
  5. Can't send or receive mails from Zimbra
    By ppurama in forum Administrators
    Replies: 4
    Last Post: 11-14-2005, 10:17 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •