Looking for some idea's here....having a rather large attack with forged bounced msgs coming from
and about 15 others all from *.secureserver.net I believe these are owned by Godaddy.
This suddenly started happening about 4 days ago ago previously I have not had any issues like this. I think I have done some good tweaks to help protect in general against spam but thease are relentless coming in every 10 mins or so....quite annoying,.
I am looking for a quick way to put a stop to this even if it means completly blocking all connections from *.secureserver.net. at postfix level My old backscatter rule for TO: FROM: spoofed as same address of cource has no effect on this. I have also implemented backscatter checking service which seems to help catch about 25% of these.
%%contains VAR:zimbraMtaRestriction reject_invalid_hostname%%
%%contains VAR:zimbraMtaRestriction reject_non_fqdn_hostname%%
%%contains VAR:zimbraMtaRestriction reject_non_fqdn_sender%%
%%contains VAR:zimbraMtaRestriction reject_unknown_client%%
%%contains VAR:zimbraMtaRestriction reject_unknown_hostname%%
%%contains VAR:zimbraMtaRestriction reject_unknown_sender_domain%%
%%explode reject_rbl_client VAR:zimbraMtaRestrictionRBLs%%
%%contains VAR:zimbraMtaRestriction check_policy_service unixrivate/policy%%
mprov gacf | grep zimbraMtaRestriction
zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org
zimbraMtaRestriction: reject_rbl_client dnsbl.sorbs.net
# domainxyz.com REJECT we never email pretending to be ourself from outside so go away!
<> reject_rbl_client ips.backscatterer.org
postmaster reject_rbl_client ips.backscatterer.org
I have also had a look at Postfix Backscatter Howto
But this looks like some pretty big changes to a production system and im looking for any quick innovative suggestions on how I might stop these secureserver.net attacks once and for all.
Heres header information from one of the emails
Received: from mail.mymailserver.ca (LHLO mail.mymailserver.ca)
(126.96.36.199) by mail.mymailserver.ca with LMTP; Sun, 24 Apr 2011
22:05:05 -0400 (EDT)
Received: from localhost (localhost.localdomain [127.0.0.1])
by mail.mymailserver.ca (Postfix) with ESMTP id 3EF369F000B;
Sun, 24 Apr 2011 22:05:05 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.mymailserver.ca
X-Spam-Status: No, score=-1.9 tagged_above=-10 required=5
tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.mymailserver.ca ([127.0.0.1])
by localhost (mail.mymailserver.ca [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id BNdY9Gmwc7Ul; Sun, 24 Apr 2011 22:04:51 -0400 (EDT)
Received: from p3plsmtpa07-03.prod.phx3.secureserver.net (p3plsmtpa07-03.prod.phx3.secureserver.net [188.8.131.52])
by mail.mymailserver.ca (Postfix) with SMTP id BCD749F0009
for <firstname.lastname@example.org>; Sun, 24 Apr 2011 22:04:40 -0400 (EDT)
Received: (qmail 29881 invoked for bounce); 25 Apr 2011 02:04:39 -0000
Date: 25 Apr 2011 02:04:39 -0000
Subject: failure notice
Message-Id: <20110425020450.BCD749F0009@mail.mymailserver.ca >
Hi. This is the qmail-send program at p3plsmtpa07-03.prod.phx3.secureserver.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
Sorry, I couldn't find any host named srgdance.com. (#5.1.2)
--- Below this line is a copy of the message.
Received: (qmail 29873 invoked from network); 25 Apr 2011 02:04:39 -0000
Received: from unknown (184.108.40.206)
by p3plsmtpa07-03.prod.phx3.secureserver.net (220.127.116.11) with ESMTP; 25 Apr 2011 02:04:39 -0000
From: "Easter" <email@example.com>
To: "smboyas" <firstname.lastname@example.org>
Subject: Fwd: so annoying (easter video)
Date: Mon, 25 Apr 2011 10:02:48 +0000
This is a multi-part message in MIME format.
If you wish stop receiving these notification... you can unsubscribe here at any time.
This guys is so obnoxious...
Honestly, the guy's voice really annoys me.
Especially when he LAUGHS at 'newbies'...
At the end of the video he gives you a great
lesson and a great 'app' that you can use TODAY
to make money online (and it's 100% verified).
Watch this and follow the 4 steps to
make your first sale online by copying
and pasting exactly what he says...