Jump to content

Multiple ip addresses connecting claiming to be lloydstsb.co.uk, Virus? Botnet? Other distributed attack?


HapplessUser
 Share

Recommended Posts

I was looking through my mail logs this morning and got the not so bright idea to maybe start blocking connections from servers that are logging a lot of "user unknown" connections.

I quickly realized that this was probably going to be a waste of time because most of the connections were unique with only a few repeat offenders. I also noticed a bunch of connections with helo=lloydstsb.co.uk, but all the connections were from different IP addresses. Any idea what the story might be there? I could just block that domain, but what if one of our users actually communicates with that company?

Here are the lines from our log file:

Feb  9 02:50:02 from eaton6404.pndsl.co.uk[84.92.52.114]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 02:50:46 from 24-178-98-254.static.stbr.ga.charter.com[24.178.98.254]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.u>
Feb  9 02:56:41 from 173-162-111-25-miami.hfc.comcastbusiness.net[173.162.111.25]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=lloydstsb.co.uk>
Feb  9 02:57:06 from unknown[86.188.155.194]: 554 5.7.1 Service unavailable; Client host [86.188.155.194] blocked using psbl.surriel.com; Listed in PSBL, see http://psbl.org/listing?ip=86.188.155.194; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:03:14 from pa.sa.net.ua[194.6.231.209]: 554 5.7.1 Service unavailable; Client host [194.6.231.209] blocked using hostkarma.junkemailfilter.com; Black listed at hostkarma http://ipadmin.junkemailfilter.com/remove.php?ip=194.6.231.209; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:04:48 from host198-232-static.15-188-b.business.telecomitalia.it[188.15.232.198]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:04:57 from unknown[116.12.202.73]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:05:01 from unknown[112.196.41.58]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:06:07 from mail.dauvister.com[213.177.69.114]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:08:47 from unknown[195.171.105.130]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:08:55 from unknown[212.156.146.22]: 554 5.7.1 Service unavailable; Client host [212.156.146.22] blocked using psbl.surriel.com; Listed in PSBL, see http://psbl.org/listing?ip=212.156.146.22; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:10:12 from unknown[187.210.33.90]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:10:15 from 2.182.0.109.rev.sfr.net[109.0.182.2]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:11:10 from unknown[96.88.1.69]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:11:41 from unknown[118.102.226.227]: 554 5.7.1 Service unavailable; Client host [118.102.226.227] blocked using psbl.surriel.com; Listed in PSBL, see http://psbl.org/listing?ip=118.102.226.227; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:13:38 from unknown[151.237.217.130]: 554 5.7.1 Service unavailable; Client host [151.237.217.130] blocked using hostkarma.junkemailfilter.com; Black listed at hostkarma http://ipadmin.junkemailfilter.com/remove.php?ip=151.237.217.130; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:13:39 from unknown[74.5.197.214]: 554 5.7.1 Service unavailable; Client host [74.5.197.214] blocked using hostkarma.junkemailfilter.com; Black listed at hostkarma http://ipadmin.junkemailfilter.com/remove.php?ip=74.5.197.214; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:14:11 from unknown[64.18.65.2]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:15:01 from unknown[2.122.127.114]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:19:01 from 7.81.114.89.rev.vodafone.pt[89.114.81.7]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:20:11 from 149-96-241-84.static.cable.fcom.ch[84.241.96.149]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 04:34:12 from mail.degem.com[212.143.222.99]: 554 5.7.1 Service unavailable; Client host [212.143.222.99] blocked using psbl.surriel.com; Listed in PSBL, see http://psbl.org/listing?ip=212.143.222.99; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Link to comment
Share on other sites

The HELO information is not a reliable indicator of the true origin of an email. As is the case with "From:" headers, the HELO information is easily forged by malware and rogues. Rather than reject outright for one particular host, you might want to look into how credible the HELO info is when compared with, for example, the rDNS, and use that as part of your decision to reject or accept mail.

Edited by lisati
Link to comment
Share on other sites

An afterthought (it's hard to focus on providing a useful answer when the lady of the house wants to talk about the weekly trip to the supermarket). The documentation for Postfix has a section on blocking backscatter with forged server details that might be easier to adapt to something useful here. For more information, see http://www.postfix.org/BACKSCATTER_README.html#forged_helo

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...