Attack from MAILER-DEAMON secureserver.net

[Mike From Markham]

Looking for some idea's here....having a rather large attack with forged bounced msgs coming from

p3plsmtpa01-07.prod.phx3.secureserver.net[72.167.82.87]
p3plsmtpa01-08.prod.phx3.secureserver.net[72.167.82.88]

and about 15 others all from *.secureserver.net I believe these are owned by Godaddy.

This suddenly started happening about 4 days ago ago previously I have not had any issues like this. I think I have done some good tweaks to help protect in general against spam but thease are relentless coming in every 10 mins or so....quite annoying,.

I am looking for a quick way to put a stop to this even if it means completly blocking all connections from *.secureserver.net. at postfix level My old backscatter rule for TO: FROM: spoofed as same address of cource has no effect on this. I have also implemented backscatter checking service which seems to help catch about 25% of these.

/opt/zimbra/conf/postfix_recipient_restrictions.cf

reject_non_fqdn_recipient
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
reject_unlisted_recipient
check_sender_access hash:/opt/zimbra/conf/spoofprotection
check_sender_access hash:/opt/zimbra/conf/check_backscatter
%%contains VAR:zimbraMtaRestriction reject_invalid_hostname%%
%%contains VAR:zimbraMtaRestriction reject_non_fqdn_hostname%%
%%contains VAR:zimbraMtaRestriction reject_non_fqdn_sender%%
%%contains VAR:zimbraMtaRestriction reject_unknown_client%%
%%contains VAR:zimbraMtaRestriction reject_unknown_hostname%%
%%contains VAR:zimbraMtaRestriction reject_unknown_sender_domain%%
%%explode reject_rbl_client VAR:zimbraMtaRestrictionRBLs%%
%%contains VAR:zimbraMtaRestriction check_policy_service unixrivate/policy%%
permit


mprov gacf | grep zimbraMtaRestriction
zimbraMtaRestriction: reject_invalid_hostname
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_unknown_sender_domain
zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org
zimbraMtaRestriction: reject_rbl_client dnsbl.sorbs.net


/opt/zimbra/conf/spoofprotection

# domainxyz.com REJECT we never email pretending to be ourself from outside so go away!

/opt/zimbra/conf/checkbackscatter
<> reject_rbl_client ips.backscatterer.org
postmaster reject_rbl_client ips.backscatterer.org


I have also had a look at Postfix Backscatter Howto

But this looks like some pretty big changes to a production system and im looking for any quick innovative suggestions on how I might stop these secureserver.net attacks once and for all.


Heres header information from one of the emails

Received: from mail.mymailserver.ca (LHLO mail.mymailserver.ca)
(123.213.123.213) by mail.mymailserver.ca with LMTP; Sun, 24 Apr 2011
22:05:05 -0400 (EDT)
Received: from localhost (localhost.localdomain [127.0.0.1])
by mail.mymailserver.ca (Postfix) with ESMTP id 3EF369F000B;
Sun, 24 Apr 2011 22:05:05 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.mymailserver.ca
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-10 required=5
tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.mymailserver.ca ([127.0.0.1])
by localhost (mail.mymailserver.ca [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id BNdY9Gmwc7Ul; Sun, 24 Apr 2011 22:04:51 -0400 (EDT)
Received: from p3plsmtpa07-03.prod.phx3.secureserver.net (p3plsmtpa07-03.prod.phx3.secureserver.net [173.201.192.232])
by mail.mymailserver.ca (Postfix) with SMTP id BCD749F0009
for <info@domainxyz.com>; Sun, 24 Apr 2011 22:04:40 -0400 (EDT)
Received: (qmail 29881 invoked for bounce); 25 Apr 2011 02:04:39 -0000
Date: 25 Apr 2011 02:04:39 -0000
From: MAILER-DAEMON@p3plsmtpa07-03.prod.phx3.secureserver.net
To: info@domainxyz.com
Subject: failure notice
Message-Id: <20110425020450.BCD749F0009@mail.mymailserver.ca >

Hi. This is the qmail-send program at p3plsmtpa07-03.prod.phx3.secureserver.net.




I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<smboyas@srgdance.com>:
Sorry, I couldn't find any host named srgdance.com. (#5.1.2)

--- Below this line is a copy of the message.

Return-Path: <info@domainxyz.com>
Received: (qmail 29873 invoked from network); 25 Apr 2011 02:04:39 -0000
Received: from unknown (118.160.146.125)
by p3plsmtpa07-03.prod.phx3.secureserver.net (173.201.192.232) with ESMTP; 25 Apr 2011 02:04:39 -0000
From: "Easter" <info@christinegilmore.com>
To: "smboyas" <smboyas@srgdance.com>
Subject: Fwd: so annoying (easter video)
Date: Mon, 25 Apr 2011 10:02:48 +0000
Organization: Easter
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0000_01C6527E.AE8904D0"

This is a multi-part message in MIME format.

------=_NextPart_000_0000_01C6527E.AE8904D0
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: 8bit

If you wish stop receiving these notification... you can unsubscribe here at any time.
---
Hey,
This guys is so obnoxious...
Loading...
----
Honestly, the guy's voice really annoys me.
Especially when he LAUGHS at 'newbies'...
BUT.
At the end of the video he gives you a great
lesson and a great 'app' that you can use TODAY
to make money online (and it's 100% verified).
So...
Watch this and follow the 4 steps to
make your first sale online by copying
and pasting exactly what he says...
>> Loading...

[Mike From Markham]

Anyone?? Any Idea's? I need to stop secureserver.net from killing my users with spam///

[dipeshmehta]

You should check if your server is openrelay? By default Zimbra installed is not openrelay, but if you have made any configuration changes by altering config files, there might be possibilities that you put your server as an openrelay.

Also check your network for virus/trogen/malware etc., possibilities are there that one or more clients are infected and sending out mass mails.

Dipesh

[jorge_s]

Have you tried blocking the spamming servers with iptables?

# iptables -t filter -A INPUT -p tcp --dport 25 -s spamming.server.ip.address -j DROP

it should help at least until you figure out how to block them directly from Zimbra.


good luck!

[Mike From Markham]

Quote:

Originally Posted by dipeshmehta

You should check if your server is openrelay? By default Zimbra installed is not openrelay, but if you have made any configuration changes by altering config files, there might be possibilities that you put your server as an openrelay.

Also check your network for virus/trogen/malware etc., possibilities are there that one or more clients are infected and sending out mass mails.

Dipesh

Hi checked on mxtoolbox and is not an open relay (not has it ever been configured as such)

All users are connecting via ZWC so im thinking an infection would be somewhat limited... It seems this is all from backscatter and forged address that eventually get bounced back to the 'forged' source.. although the attack is quite large..

is there a quick way I can check any connections/emails sent not through zwc but smtp auth only(there are a few iphone users)

[Mike From Markham]

Quote:

Originally Posted by jorge_s

Have you tried blocking the spamming servers with iptables?

# iptables -t filter -A INPUT -p tcp --dport 25 -s spamming.server.ip.address -j DROP

it should help at least until you figure out how to block them directly from Zimbra.


good luck!

This is crude but a great idea.... for the short term..

Thanks...

Quick question if the attack is from 100's of different server ip but always from *secureserver.net would a wild card format work?

Apr 26 10:23:01 mail postfix/smtpd[32167]: disconnect from p3plsmtpa01-02.prod.phx3.secureserver.net[72.167.82.82]
Apr 26 12:15:18 mail postfix/smtpd[519]: connect from p3plsmtpa07-05.prod.phx3.secureserver.net[173.201.192.234]
Apr 26 12:15:33 mail postfix/smtpd[519]: 721029F000D: client=p3plsmtpa07-05.prod.phx3.secureserver.net[173.201.192.234]
Apr 26 12:15:34 mail postfix/smtpd[519]: disconnect from p3plsmtpa07-05.prod.phx3.secureserver.net[173.201.192.234]
Apr 26 12:23:34 mail postfix/smtpd[11490]: connect from p3plsmtp04-01.prod.phx3.secureserver.net[72.167.218.159]
Apr 26 12:23:34 mail postfix/smtpd[11490]: C01719F0009: client=p3plsmtp04-01.prod.phx3.secureserver.net[72.167.218.1

[jorge_s]

Quote:

Originally Posted by Mike From Markham

This is crude but a great idea.... for the short term..

Thanks...

Quick question if the attack is from 100's of different server ip but always from *secureserver.net would a wild card format work?

No, it won't, iptables blocks using ip's, not domains. Blocking by domain will require a reverse DNS checkup prior to blocking and that would make IP filtering MUCH more slower rendering it almost useless.
That should be the job for a proxy type application that works in another level - like Zimbra's antispam filters ...

maybe someone else can enlighten us about how to use Zimbra's filters for this.

[LMStone]

If you are willing to discard bounce messages in general, you could do something like this:

Code:

To reduce this volume of third-party backscatter, we use Postfix header checks on all MTA servers.


To implement, add to /opt/zimbra/conf/postfix_header_checks.in the following two lines after making the file writable by the zimbra user.  Don't forget to change the permissions back after editing!


/^Content-Type: multipart\/report; report-type=delivery-status\;/ DISCARD No Third-Party DSNs
/^Content-Type: message\/delivery-status; / DISCARD No Third-Party DSNs


To implement immediately, run zmmtactl reload and ignore errors like:

postmap: warning: /opt/zimbra/conf/postfix_header_checks.H21781, line 5: record is in "key: value" format; is this an alias file?

postmap: warning: /opt/zimbra/conf/postfix_header_checks.H21781, line 6: record is in "key: value" format; is this an alias file?

postmap: warning: /opt/zimbra/conf/postfix_header_checks.H21781.db: duplicate entry: "/^content-type:"

Hope that helps,
Mark

[Mike From Markham]

Hi Mark,

This did not seem to work.. Still get 50+ of these a day...

Heres my header check file

%%uncomment VAR:zimbraMtaBlockedExtension%%/filename=\"?(.*)\.(%%list VAR:zimbraMtaBlockedExtension |%%)\"?$/
%%uncomment VAR:zimbraMtaBlockedExtension%% REJECT For security reasons we reject attachments of this type
%%uncomment VAR:zimbraMtaBlockedExtension%%/^\s*Content-(Disposition|Type).*name\s*=\s*"?(.+\.(%%list VAR:zimbraMtaBlockedExtension |%%))"?\s*$
%%uncomment VAR:zimbraMtaBlockedExtension%% REJECT Attachment type not allowed. File "$2" has the unacceptable extension "$3"
/^Content-Type: multipart\/report; report-type=delivery-status\;/ DISCARD No Third-Party DSNs
/^Content-Type: message\/delivery-status; / DISCARD No Third-Party DSNs


as per the screen shot ive got 50 of these things just from last nigtht.. Unless I missed something with the above change...

[LMStone]

Quote:

Originally Posted by Mike From Markham

Hi Mark,

This did not seem to work.. Still get 50+ of these a day...

Heres my header check file

%%uncomment VAR:zimbraMtaBlockedExtension%%/filename=\"?(.*)\.(%%list VAR:zimbraMtaBlockedExtension |%%)\"?$/
%%uncomment VAR:zimbraMtaBlockedExtension%% REJECT For security reasons we reject attachments of this type
%%uncomment VAR:zimbraMtaBlockedExtension%%/^\s*Content-(Disposition|Type).*name\s*=\s*"?(.+\.(%%list VAR:zimbraMtaBlockedExtension |%%))"?\s*$
%%uncomment VAR:zimbraMtaBlockedExtension%% REJECT Attachment type not allowed. File "$2" has the unacceptable extension "$3"
/^Content-Type: multipart\/report; report-type=delivery-status\;/ DISCARD No Third-Party DSNs
/^Content-Type: message\/delivery-status; / DISCARD No Third-Party DSNs


as per the screen shot ive got 50 of these things just from last nigtht.. Unless I missed something with the above change...

Sounds like you'll want to update or add your own regular expression to the above header checks to catch these.

Can you post one of the message headers?

Mark