Jump to content
Sign in to follow this  
HapplessUser

Multiple ip addresses connecting claiming to be lloydstsb.co.uk, Virus? Botnet? Other distributed attack?

Recommended Posts

I was looking through my mail logs this morning and got the not so bright idea to maybe start blocking connections from servers that are logging a lot of "user unknown" connections.

I quickly realized that this was probably going to be a waste of time because most of the connections were unique with only a few repeat offenders. I also noticed a bunch of connections with helo=lloydstsb.co.uk, but all the connections were from different IP addresses. Any idea what the story might be there? I could just block that domain, but what if one of our users actually communicates with that company?

Here are the lines from our log file:

Feb  9 02:50:02 from eaton6404.pndsl.co.uk[84.92.52.114]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 02:50:46 from 24-178-98-254.static.stbr.ga.charter.com[24.178.98.254]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.u>
Feb  9 02:56:41 from 173-162-111-25-miami.hfc.comcastbusiness.net[173.162.111.25]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=lloydstsb.co.uk>
Feb  9 02:57:06 from unknown[86.188.155.194]: 554 5.7.1 Service unavailable; Client host [86.188.155.194] blocked using psbl.surriel.com; Listed in PSBL, see http://psbl.org/listing?ip=86.188.155.194; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:03:14 from pa.sa.net.ua[194.6.231.209]: 554 5.7.1 Service unavailable; Client host [194.6.231.209] blocked using hostkarma.junkemailfilter.com; Black listed at hostkarma http://ipadmin.junkemailfilter.com/remove.php?ip=194.6.231.209; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:04:48 from host198-232-static.15-188-b.business.telecomitalia.it[188.15.232.198]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:04:57 from unknown[116.12.202.73]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:05:01 from unknown[112.196.41.58]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:06:07 from mail.dauvister.com[213.177.69.114]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:08:47 from unknown[195.171.105.130]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:08:55 from unknown[212.156.146.22]: 554 5.7.1 Service unavailable; Client host [212.156.146.22] blocked using psbl.surriel.com; Listed in PSBL, see http://psbl.org/listing?ip=212.156.146.22; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:10:12 from unknown[187.210.33.90]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:10:15 from 2.182.0.109.rev.sfr.net[109.0.182.2]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:11:10 from unknown[96.88.1.69]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:11:41 from unknown[118.102.226.227]: 554 5.7.1 Service unavailable; Client host [118.102.226.227] blocked using psbl.surriel.com; Listed in PSBL, see http://psbl.org/listing?ip=118.102.226.227; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:13:38 from unknown[151.237.217.130]: 554 5.7.1 Service unavailable; Client host [151.237.217.130] blocked using hostkarma.junkemailfilter.com; Black listed at hostkarma http://ipadmin.junkemailfilter.com/remove.php?ip=151.237.217.130; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:13:39 from unknown[74.5.197.214]: 554 5.7.1 Service unavailable; Client host [74.5.197.214] blocked using hostkarma.junkemailfilter.com; Black listed at hostkarma http://ipadmin.junkemailfilter.com/remove.php?ip=74.5.197.214; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:14:11 from unknown[64.18.65.2]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:15:01 from unknown[2.122.127.114]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:19:01 from 7.81.114.89.rev.vodafone.pt[89.114.81.7]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:20:11 from 149-96-241-84.static.cable.fcom.ch[84.241.96.149]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 04:34:12 from mail.degem.com[212.143.222.99]: 554 5.7.1 Service unavailable; Client host [212.143.222.99] blocked using psbl.surriel.com; Listed in PSBL, see http://psbl.org/listing?ip=212.143.222.99; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>

Share this post


Link to post
Share on other sites

The HELO information is not a reliable indicator of the true origin of an email. As is the case with "From:" headers, the HELO information is easily forged by malware and rogues. Rather than reject outright for one particular host, you might want to look into how credible the HELO info is when compared with, for example, the rDNS, and use that as part of your decision to reject or accept mail.

Edited by lisati

Share this post


Link to post
Share on other sites

An afterthought (it's hard to focus on providing a useful answer when the lady of the house wants to talk about the weekly trip to the supermarket). The documentation for Postfix has a section on blocking backscatter with forged server details that might be easier to adapt to something useful here. For more information, see http://www.postfix.org/BACKSCATTER_README.html#forged_helo

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×