Results 1 to 10 of 15

Thread: Attack from MAILER-DEAMON secureserver.net

Threaded View

  1. #1
    Join Date
    Nov 2009
    Location
    Markham, Ontario Canada
    Posts
    35
    Rep Power
    6

    Default Attack from MAILER-DEAMON secureserver.net

    Looking for some idea's here....having a rather large attack with forged bounced msgs coming from

    p3plsmtpa01-07.prod.phx3.secureserver.net[72.167.82.87]
    p3plsmtpa01-08.prod.phx3.secureserver.net[72.167.82.88]

    and about 15 others all from *.secureserver.net I believe these are owned by Godaddy.

    This suddenly started happening about 4 days ago ago previously I have not had any issues like this. I think I have done some good tweaks to help protect in general against spam but thease are relentless coming in every 10 mins or so....quite annoying,.

    I am looking for a quick way to put a stop to this even if it means completly blocking all connections from *.secureserver.net. at postfix level My old backscatter rule for TO: FROM: spoofed as same address of cource has no effect on this. I have also implemented backscatter checking service which seems to help catch about 25% of these.

    /opt/zimbra/conf/postfix_recipient_restrictions.cf

    reject_non_fqdn_recipient
    permit_sasl_authenticated
    permit_mynetworks
    reject_unauth_destination
    reject_unlisted_recipient
    check_sender_access hash:/opt/zimbra/conf/spoofprotection
    check_sender_access hash:/opt/zimbra/conf/check_backscatter
    %%contains VAR:zimbraMtaRestriction reject_invalid_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_non_fqdn_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_non_fqdn_sender%%
    %%contains VAR:zimbraMtaRestriction reject_unknown_client%%
    %%contains VAR:zimbraMtaRestriction reject_unknown_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_unknown_sender_domain%%
    %%explode reject_rbl_client VAR:zimbraMtaRestrictionRBLs%%
    %%contains VAR:zimbraMtaRestriction check_policy_service unixrivate/policy%%
    permit


    mprov gacf | grep zimbraMtaRestriction
    zimbraMtaRestriction: reject_invalid_hostname
    zimbraMtaRestriction: reject_non_fqdn_sender
    zimbraMtaRestriction: reject_unknown_sender_domain
    zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org
    zimbraMtaRestriction: reject_rbl_client dnsbl.sorbs.net


    /opt/zimbra/conf/spoofprotection

    # domainxyz.com REJECT we never email pretending to be ourself from outside so go away!

    /opt/zimbra/conf/checkbackscatter
    <> reject_rbl_client ips.backscatterer.org
    postmaster reject_rbl_client ips.backscatterer.org


    I have also had a look at Postfix Backscatter Howto

    But this looks like some pretty big changes to a production system and im looking for any quick innovative suggestions on how I might stop these secureserver.net attacks once and for all.


    Heres header information from one of the emails

    Received: from mail.mymailserver.ca (LHLO mail.mymailserver.ca)
    (123.213.123.213) by mail.mymailserver.ca with LMTP; Sun, 24 Apr 2011
    22:05:05 -0400 (EDT)
    Received: from localhost (localhost.localdomain [127.0.0.1])
    by mail.mymailserver.ca (Postfix) with ESMTP id 3EF369F000B;
    Sun, 24 Apr 2011 22:05:05 -0400 (EDT)
    X-Virus-Scanned: amavisd-new at mail.mymailserver.ca
    X-Spam-Flag: NO
    X-Spam-Score: -1.9
    X-Spam-Level:
    X-Spam-Status: No, score=-1.9 tagged_above=-10 required=5
    tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
    Received: from mail.mymailserver.ca ([127.0.0.1])
    by localhost (mail.mymailserver.ca [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id BNdY9Gmwc7Ul; Sun, 24 Apr 2011 22:04:51 -0400 (EDT)
    Received: from p3plsmtpa07-03.prod.phx3.secureserver.net (p3plsmtpa07-03.prod.phx3.secureserver.net [173.201.192.232])
    by mail.mymailserver.ca (Postfix) with SMTP id BCD749F0009
    for <info@domainxyz.com>; Sun, 24 Apr 2011 22:04:40 -0400 (EDT)
    Received: (qmail 29881 invoked for bounce); 25 Apr 2011 02:04:39 -0000
    Date: 25 Apr 2011 02:04:39 -0000
    From: MAILER-DAEMON@p3plsmtpa07-03.prod.phx3.secureserver.net
    To: info@domainxyz.com
    Subject: failure notice
    Message-Id: <20110425020450.BCD749F0009@mail.mymailserver.ca >

    Hi. This is the qmail-send program at p3plsmtpa07-03.prod.phx3.secureserver.net.




    I'm afraid I wasn't able to deliver your message to the following addresses.
    This is a permanent error; I've given up. Sorry it didn't work out.

    <smboyas@srgdance.com>:
    Sorry, I couldn't find any host named srgdance.com. (#5.1.2)

    --- Below this line is a copy of the message.

    Return-Path: <info@domainxyz.com>
    Received: (qmail 29873 invoked from network); 25 Apr 2011 02:04:39 -0000
    Received: from unknown (118.160.146.125)
    by p3plsmtpa07-03.prod.phx3.secureserver.net (173.201.192.232) with ESMTP; 25 Apr 2011 02:04:39 -0000
    From: "Easter" <info@christinegilmore.com>
    To: "smboyas" <smboyas@srgdance.com>
    Subject: Fwd: so annoying (easter video)
    Date: Mon, 25 Apr 2011 10:02:48 +0000
    Organization: Easter
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0000_01C6527E.AE8904D0"

    This is a multi-part message in MIME format.

    ------=_NextPart_000_0000_01C6527E.AE8904D0
    Content-Type: text/plain;
    charset="utf-8"
    Content-Transfer-Encoding: 8bit

    If you wish stop receiving these notification... you can unsubscribe here at any time.
    ---
    Hey,
    This guys is so obnoxious...
    Loading...
    ----
    Honestly, the guy's voice really annoys me.
    Especially when he LAUGHS at 'newbies'...
    BUT.
    At the end of the video he gives you a great
    lesson and a great 'app' that you can use TODAY
    to make money online (and it's 100% verified).
    So...
    Watch this and follow the 4 steps to
    make your first sale online by copying
    and pasting exactly what he says...
    >> Loading...
    Attached Images Attached Images

Similar Threads

  1. DOS Attack from my local ip? Some BUG?
    By RDMT in forum Administrators
    Replies: 2
    Last Post: 01-03-2011, 11:27 AM
  2. Internal Mail Attack
    By Bufonx in forum Administrators
    Replies: 5
    Last Post: 11-13-2010, 09:12 AM
  3. [SOLVED] help please zmamavisdctl is not running
    By cornbread in forum Administrators
    Replies: 4
    Last Post: 11-21-2007, 12:13 PM
  4. [SOLVED] Unable to receive email 4.5.6:
    By cornbread in forum Installation
    Replies: 8
    Last Post: 09-29-2007, 12:51 PM
  5. Can't send or receive mails from Zimbra
    By ppurama in forum Administrators
    Replies: 4
    Last Post: 11-14-2005, 10:17 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •