Wulfman Posted December 26, 2013 Share Posted December 26, 2013 Today as i opened my mail i was flooded with Undelivered Mail Returned to Sender emails about 3000 of them. I read a post here from someone back a few years ago about an exploit that sounds like what i am getting now. http://forum.spamcop.net/forums/index.php?showtopic=10734 Now i ran a open relay check on my server and it passed clean. here is a returned email from a random server _____________________________________________________________________________ Return-Path: <wulfman[at]wulfman.com> Received: from localhost (wulfman [127.0.0.1]) by wulfman.com (Postfix) with ESMTP id C6A991FA41 for <25-131-807-2043[at]phone.com>; Wed, 25 Dec 2013 10:13:33 -0800 (PST) X-Virus-Scanned: by amavisd-new-2.5.4 (20080312) (Debian) at wulfman.com Received: from wulfman.com ([127.0.0.1]) by localhost (wulfman.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TIvQt3AJHznZ for <25-131-807-2043[at]phone.com>; Wed, 25 Dec 2013 10:13:32 -0800 (PST) Received: from wulfman.com (NS29.NAXZA.com [61.19.251.188]) by wulfman.com (Postfix) with ESMTPA id D18F11FA3F for <25-131-807-2043[at]phone.com>; Wed, 25 Dec 2013 10:13:31 -0800 (PST) Date: Thu, 26 Dec 2013 1:13:29 +0700 From: "=?utf-8?Q?Dina_Knisely?=" <wulfman[at]wulfman.com> Organization: gcxn X-Priority: 3 (Normal) Message-ID: <1370481270.20131226011329[at]wulfman.com> To: 25-131-807-2043[at]phone.com Subject: =?utf-8?Q?=D1=B5=C3=AE=E1=BA=A1=E1=B8=A0=C5=97=E1=BA=A1?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit http://palmedic.org/engineercharitypeterscott/musicnews/zcount.php?uid5520731 ________________________________________________________________________________ as you can see NS29.NAXZA.com [61.19.251.188] is not my ip address I added the fix that was in the older post but i do not think it has taken care of the problem I can not find this problem anywhere. After looking in the mail logs my server is being hit hard with these bounce attempts with the forged headers I am using the latest version of postfix from debian which is not the latest from postfix postfix mail_version = 2.9.6 i just upgraded 3 days ago via an apt-get update and upgrade maybe somebody can help me out on this one or has just started seeing this behavior on their server today Link to comment Share on other sites More sharing options...
petzl Posted December 26, 2013 Share Posted December 26, 2013 Today as i opened my mail i was flooded with Undelivered Mail Returned to Sender emails about 3000 of them. I read a post here from someone back a few years ago about an exploit that sounds like what i am getting now. http://forum.spamcop.net/forums/index.php?showtopic=10734 Now i ran a open relay check on my server and it passed clean. as you can see NS29.NAXZA.com [61.19.251.188] is not my ip address I added the fix that was in the older post but i do not think it has taken care of the problem I can not find this problem anywhere. After looking in the mail logs my server is being hit hard with these bounce attempts with the forged headers I am using the latest version of postfix from debian which is not the latest from postfix postfix mail_version = 2.9.6 i just upgraded 3 days ago via an apt-get update and upgrade maybe somebody can help me out on this one or has just started seeing this behavior on their server today http://www.senderbase.org/senderbase_queri...g=61.19.251.188 Volume Change 16652% ↑ Use the force Wulfman open a SpamCop account and report it or contact support[at]idc.cattelecom.com abuse[at]idc.cattelecom.com http://www.naxza.com/contact_hosting.php They need to block port 25 outgoing Looks like a DoS attack Link to comment Share on other sites More sharing options...
Wulfman Posted December 26, 2013 Author Share Posted December 26, 2013 http://www.senderbase.org/senderbase_queri...g=61.19.251.188 Volume Change 16652% ↑ Use the force Wulfman open a SpamCop account and report it or contact support[at]idc.cattelecom.com abuse[at]idc.cattelecom.com http://www.naxza.com/contact_hosting.php They need to block port 25 outgoing Looks like a DoS attack Well i have 1000s of IPs like that in the mails causing my server to be blacklisted Am i really sending these or is this phony and is my server just being blamed I think it is the bounce problem but i am unsure Link to comment Share on other sites More sharing options...
petzl Posted December 26, 2013 Share Posted December 26, 2013 Well i have 1000s of IPs like that in the mails causing my server to be blacklisted Am i really sending these or is this phony and is my server just being blamed I think it is the bounce problem but i am unsure Try reading Bounces are likley to get your email blocked http://forum.spamcop.net/scwik/Bounce A search on SC Wiki gives http://tinyurl.com/mmlc5zg Link to comment Share on other sites More sharing options...
Wulfman Posted December 26, 2013 Author Share Posted December 26, 2013 Try reading Bounces are likley to get your email blocked http://forum.spamcop.net/scwik/Bounce A search on SC Wiki gives http://tinyurl.com/mmlc5zg i realize that i will get blocked if my server is sending these but am i really sending them I have stopped my mail server till i can resolve this I am looking at some kind of anti bounce but not sure how to go about it this seems to be a new exploit for this version of postfix as i have never had this issue before Link to comment Share on other sites More sharing options...
petzl Posted December 26, 2013 Share Posted December 26, 2013 i realize that i will get blocked if my server is sending these but am i really sending them I have stopped my mail server till i can resolve this I am looking at some kind of anti bounce but not sure how to go about it this seems to be a new exploit for this version of postfix as i have never had this issue before Good luck Google comes with http://www.postfix.org/BACKSCATTER_README.html Link to comment Share on other sites More sharing options...
Wulfman Posted December 26, 2013 Author Share Posted December 26, 2013 Good luck Google comes with http://www.postfix.org/BACKSCATTER_README.html well after pouring over things i seem to have it fixed the upgrade to wheezy was not so smooth thanks for the heads up on things here Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.