Multiple ip addresses connecting claiming to be lloydstsb.co.uk, Virus? Botnet? Other distributed attack?

[HapplessUser]

I was looking through my mail logs this morning and got the not so bright idea to maybe start blocking connections from servers that are logging a lot of "user unknown" connections.

I quickly realized that this was probably going to be a waste of time because most of the connections were unique with only a few repeat offenders. I also noticed a bunch of connections with helo=lloydstsb.co.uk, but all the connections were from different IP addresses. Any idea what the story might be there? I could just block that domain, but what if one of our users actually communicates with that company?

Here are the lines from our log file:

Feb  9 02:50:02 from eaton6404.pndsl.co.uk[84.92.52.114]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 02:50:46 from 24-178-98-254.static.stbr.ga.charter.com[24.178.98.254]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.u>
Feb  9 02:56:41 from 173-162-111-25-miami.hfc.comcastbusiness.net[173.162.111.25]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=lloydstsb.co.uk>
Feb  9 02:57:06 from unknown[86.188.155.194]: 554 5.7.1 Service unavailable; Client host [86.188.155.194] blocked using psbl.surriel.com; Listed in PSBL, see http://psbl.org/listing?ip=86.188.155.194; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:03:14 from pa.sa.net.ua[194.6.231.209]: 554 5.7.1 Service unavailable; Client host [194.6.231.209] blocked using hostkarma.junkemailfilter.com; Black listed at hostkarma http://ipadmin.junkemailfilter.com/remove.php?ip=194.6.231.209; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:04:48 from host198-232-static.15-188-b.business.telecomitalia.it[188.15.232.198]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:04:57 from unknown[116.12.202.73]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:05:01 from unknown[112.196.41.58]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:06:07 from mail.dauvister.com[213.177.69.114]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:08:47 from unknown[195.171.105.130]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:08:55 from unknown[212.156.146.22]: 554 5.7.1 Service unavailable; Client host [212.156.146.22] blocked using psbl.surriel.com; Listed in PSBL, see http://psbl.org/listing?ip=212.156.146.22; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:10:12 from unknown[187.210.33.90]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:10:15 from 2.182.0.109.rev.sfr.net[109.0.182.2]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:11:10 from unknown[96.88.1.69]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:11:41 from unknown[118.102.226.227]: 554 5.7.1 Service unavailable; Client host [118.102.226.227] blocked using psbl.surriel.com; Listed in PSBL, see http://psbl.org/listing?ip=118.102.226.227; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:13:38 from unknown[151.237.217.130]: 554 5.7.1 Service unavailable; Client host [151.237.217.130] blocked using hostkarma.junkemailfilter.com; Black listed at hostkarma http://ipadmin.junkemailfilter.com/remove.php?ip=151.237.217.130; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:13:39 from unknown[74.5.197.214]: 554 5.7.1 Service unavailable; Client host [74.5.197.214] blocked using hostkarma.junkemailfilter.com; Black listed at hostkarma http://ipadmin.junkemailfilter.com/remove.php?ip=74.5.197.214; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:14:11 from unknown[64.18.65.2]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:15:01 from unknown[2.122.127.114]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:19:01 from 7.81.114.89.rev.vodafone.pt[89.114.81.7]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 03:20:11 from 149-96-241-84.static.cable.fcom.ch[84.241.96.149]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
Feb  9 04:34:12 from mail.degem.com[212.143.222.99]: 554 5.7.1 Service unavailable; Client host [212.143.222.99] blocked using psbl.surriel.com; Listed in PSBL, see http://psbl.org/listing?ip=212.143.222.99; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>

[lisati]

The HELO information is not a reliable indicator of the true origin of an email. As is the case with "From:" headers, the HELO information is easily forged by malware and rogues. Rather than reject outright for one particular host, you might want to look into how credible the HELO info is when compared with, for example, the rDNS, and use that as part of your decision to reject or accept mail.

[lisati]

An afterthought (it's hard to focus on providing a useful answer when the lady of the house wants to talk about the weekly trip to the supermarket). The documentation for Postfix has a section on blocking backscatter with forged server details that might be easier to adapt to something useful here. For more information, see http://www.postfix.org/BACKSCATTER_README.html#forged_helo

[HapplessUser]

I've already got it set to reject domains that don't exist, but apparently not validating rDNS. I will look into both. Thanks!