Results 1 to 10 of 15

Thread: Attack from MAILER-DEAMON

Threaded View

  1. #1
    Join Date
    Nov 2009
    Markham, Ontario Canada
    Rep Power

    Default Attack from MAILER-DEAMON

    Looking for some idea's here....having a rather large attack with forged bounced msgs coming from[][]

    and about 15 others all from * I believe these are owned by Godaddy.

    This suddenly started happening about 4 days ago ago previously I have not had any issues like this. I think I have done some good tweaks to help protect in general against spam but thease are relentless coming in every 10 mins or so....quite annoying,.

    I am looking for a quick way to put a stop to this even if it means completly blocking all connections from * at postfix level My old backscatter rule for TO: FROM: spoofed as same address of cource has no effect on this. I have also implemented backscatter checking service which seems to help catch about 25% of these.


    check_sender_access hash:/opt/zimbra/conf/spoofprotection
    check_sender_access hash:/opt/zimbra/conf/check_backscatter
    %%contains VAR:zimbraMtaRestriction reject_invalid_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_non_fqdn_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_non_fqdn_sender%%
    %%contains VAR:zimbraMtaRestriction reject_unknown_client%%
    %%contains VAR:zimbraMtaRestriction reject_unknown_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_unknown_sender_domain%%
    %%explode reject_rbl_client VAR:zimbraMtaRestrictionRBLs%%
    %%contains VAR:zimbraMtaRestriction check_policy_service unixrivate/policy%%

    mprov gacf | grep zimbraMtaRestriction
    zimbraMtaRestriction: reject_invalid_hostname
    zimbraMtaRestriction: reject_non_fqdn_sender
    zimbraMtaRestriction: reject_unknown_sender_domain
    zimbraMtaRestriction: reject_rbl_client
    zimbraMtaRestriction: reject_rbl_client


    # REJECT we never email pretending to be ourself from outside so go away!

    <> reject_rbl_client
    postmaster reject_rbl_client

    I have also had a look at Postfix Backscatter Howto

    But this looks like some pretty big changes to a production system and im looking for any quick innovative suggestions on how I might stop these attacks once and for all.

    Heres header information from one of the emails

    Received: from (LHLO
    ( by with LMTP; Sun, 24 Apr 2011
    22:05:05 -0400 (EDT)
    Received: from localhost (localhost.localdomain [])
    by (Postfix) with ESMTP id 3EF369F000B;
    Sun, 24 Apr 2011 22:05:05 -0400 (EDT)
    X-Virus-Scanned: amavisd-new at
    X-Spam-Flag: NO
    X-Spam-Score: -1.9
    X-Spam-Status: No, score=-1.9 tagged_above=-10 required=5
    tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
    Received: from ([])
    by localhost ( []) (amavisd-new, port 10024)
    with ESMTP id BNdY9Gmwc7Ul; Sun, 24 Apr 2011 22:04:51 -0400 (EDT)
    Received: from ( [])
    by (Postfix) with SMTP id BCD749F0009
    for <>; Sun, 24 Apr 2011 22:04:40 -0400 (EDT)
    Received: (qmail 29881 invoked for bounce); 25 Apr 2011 02:04:39 -0000
    Date: 25 Apr 2011 02:04:39 -0000
    Subject: failure notice
    Message-Id: < >

    Hi. This is the qmail-send program at

    I'm afraid I wasn't able to deliver your message to the following addresses.
    This is a permanent error; I've given up. Sorry it didn't work out.

    Sorry, I couldn't find any host named (#5.1.2)

    --- Below this line is a copy of the message.

    Return-Path: <>
    Received: (qmail 29873 invoked from network); 25 Apr 2011 02:04:39 -0000
    Received: from unknown (
    by ( with ESMTP; 25 Apr 2011 02:04:39 -0000
    From: "Easter" <>
    To: "smboyas" <>
    Subject: Fwd: so annoying (easter video)
    Date: Mon, 25 Apr 2011 10:02:48 +0000
    Organization: Easter
    MIME-Version: 1.0
    Content-Type: multipart/alternative;

    This is a multi-part message in MIME format.

    Content-Type: text/plain;
    Content-Transfer-Encoding: 8bit

    If you wish stop receiving these notification... you can unsubscribe here at any time.
    This guys is so obnoxious...
    Honestly, the guy's voice really annoys me.
    Especially when he LAUGHS at 'newbies'...
    At the end of the video he gives you a great
    lesson and a great 'app' that you can use TODAY
    to make money online (and it's 100% verified).
    Watch this and follow the 4 steps to
    make your first sale online by copying
    and pasting exactly what he says...
    >> Loading...
    Attached Images Attached Images

Similar Threads

  1. DOS Attack from my local ip? Some BUG?
    By RDMT in forum Administrators
    Replies: 2
    Last Post: 01-03-2011, 10:27 AM
  2. Internal Mail Attack
    By Bufonx in forum Administrators
    Replies: 5
    Last Post: 11-13-2010, 08:12 AM
  3. [SOLVED] help please zmamavisdctl is not running
    By cornbread in forum Administrators
    Replies: 4
    Last Post: 11-21-2007, 11:13 AM
  4. [SOLVED] Unable to receive email 4.5.6:
    By cornbread in forum Installation
    Replies: 8
    Last Post: 09-29-2007, 11:51 AM
  5. Can't send or receive mails from Zimbra
    By ppurama in forum Administrators
    Replies: 4
    Last Post: 11-14-2005, 09:17 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts