Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Attack from MAILER-DEAMON secureserver.net

  1. #1
    Mike From Markham is offline Active Member
    Join Date
    Nov 2009
    Location
    Markham, Ontario Canada
    Posts
    35
    Rep Power
    5

    Default Attack from MAILER-DEAMON secureserver.net

    Looking for some idea's here....having a rather large attack with forged bounced msgs coming from

    p3plsmtpa01-07.prod.phx3.secureserver.net[72.167.82.87]
    p3plsmtpa01-08.prod.phx3.secureserver.net[72.167.82.88]

    and about 15 others all from *.secureserver.net I believe these are owned by Godaddy.

    This suddenly started happening about 4 days ago ago previously I have not had any issues like this. I think I have done some good tweaks to help protect in general against spam but thease are relentless coming in every 10 mins or so....quite annoying,.

    I am looking for a quick way to put a stop to this even if it means completly blocking all connections from *.secureserver.net. at postfix level My old backscatter rule for TO: FROM: spoofed as same address of cource has no effect on this. I have also implemented backscatter checking service which seems to help catch about 25% of these.

    /opt/zimbra/conf/postfix_recipient_restrictions.cf

    reject_non_fqdn_recipient
    permit_sasl_authenticated
    permit_mynetworks
    reject_unauth_destination
    reject_unlisted_recipient
    check_sender_access hash:/opt/zimbra/conf/spoofprotection
    check_sender_access hash:/opt/zimbra/conf/check_backscatter
    %%contains VAR:zimbraMtaRestriction reject_invalid_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_non_fqdn_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_non_fqdn_sender%%
    %%contains VAR:zimbraMtaRestriction reject_unknown_client%%
    %%contains VAR:zimbraMtaRestriction reject_unknown_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_unknown_sender_domain%%
    %%explode reject_rbl_client VAR:zimbraMtaRestrictionRBLs%%
    %%contains VAR:zimbraMtaRestriction check_policy_service unixrivate/policy%%
    permit


    mprov gacf | grep zimbraMtaRestriction
    zimbraMtaRestriction: reject_invalid_hostname
    zimbraMtaRestriction: reject_non_fqdn_sender
    zimbraMtaRestriction: reject_unknown_sender_domain
    zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org
    zimbraMtaRestriction: reject_rbl_client dnsbl.sorbs.net


    /opt/zimbra/conf/spoofprotection

    # domainxyz.com REJECT we never email pretending to be ourself from outside so go away!

    /opt/zimbra/conf/checkbackscatter
    <> reject_rbl_client ips.backscatterer.org
    postmaster reject_rbl_client ips.backscatterer.org


    I have also had a look at Postfix Backscatter Howto

    But this looks like some pretty big changes to a production system and im looking for any quick innovative suggestions on how I might stop these secureserver.net attacks once and for all.


    Heres header information from one of the emails

    Received: from mail.mymailserver.ca (LHLO mail.mymailserver.ca)
    (123.213.123.213) by mail.mymailserver.ca with LMTP; Sun, 24 Apr 2011
    22:05:05 -0400 (EDT)
    Received: from localhost (localhost.localdomain [127.0.0.1])
    by mail.mymailserver.ca (Postfix) with ESMTP id 3EF369F000B;
    Sun, 24 Apr 2011 22:05:05 -0400 (EDT)
    X-Virus-Scanned: amavisd-new at mail.mymailserver.ca
    X-Spam-Flag: NO
    X-Spam-Score: -1.9
    X-Spam-Level:
    X-Spam-Status: No, score=-1.9 tagged_above=-10 required=5
    tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
    Received: from mail.mymailserver.ca ([127.0.0.1])
    by localhost (mail.mymailserver.ca [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id BNdY9Gmwc7Ul; Sun, 24 Apr 2011 22:04:51 -0400 (EDT)
    Received: from p3plsmtpa07-03.prod.phx3.secureserver.net (p3plsmtpa07-03.prod.phx3.secureserver.net [173.201.192.232])
    by mail.mymailserver.ca (Postfix) with SMTP id BCD749F0009
    for <info@domainxyz.com>; Sun, 24 Apr 2011 22:04:40 -0400 (EDT)
    Received: (qmail 29881 invoked for bounce); 25 Apr 2011 02:04:39 -0000
    Date: 25 Apr 2011 02:04:39 -0000
    From: MAILER-DAEMON@p3plsmtpa07-03.prod.phx3.secureserver.net
    To: info@domainxyz.com
    Subject: failure notice
    Message-Id: <20110425020450.BCD749F0009@mail.mymailserver.ca >

    Hi. This is the qmail-send program at p3plsmtpa07-03.prod.phx3.secureserver.net.




    I'm afraid I wasn't able to deliver your message to the following addresses.
    This is a permanent error; I've given up. Sorry it didn't work out.

    <smboyas@srgdance.com>:
    Sorry, I couldn't find any host named srgdance.com. (#5.1.2)

    --- Below this line is a copy of the message.

    Return-Path: <info@domainxyz.com>
    Received: (qmail 29873 invoked from network); 25 Apr 2011 02:04:39 -0000
    Received: from unknown (118.160.146.125)
    by p3plsmtpa07-03.prod.phx3.secureserver.net (173.201.192.232) with ESMTP; 25 Apr 2011 02:04:39 -0000
    From: "Easter" <info@christinegilmore.com>
    To: "smboyas" <smboyas@srgdance.com>
    Subject: Fwd: so annoying (easter video)
    Date: Mon, 25 Apr 2011 10:02:48 +0000
    Organization: Easter
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0000_01C6527E.AE8904D0"

    This is a multi-part message in MIME format.

    ------=_NextPart_000_0000_01C6527E.AE8904D0
    Content-Type: text/plain;
    charset="utf-8"
    Content-Transfer-Encoding: 8bit

    If you wish stop receiving these notification... you can unsubscribe here at any time.
    ---
    Hey,
    This guys is so obnoxious...
    Loading...
    ----
    Honestly, the guy's voice really annoys me.
    Especially when he LAUGHS at 'newbies'...
    BUT.
    At the end of the video he gives you a great
    lesson and a great 'app' that you can use TODAY
    to make money online (and it's 100% verified).
    So...
    Watch this and follow the 4 steps to
    make your first sale online by copying
    and pasting exactly what he says...
    >> Loading...
    Attached Images Attached Images

  2. #2
    Mike From Markham is offline Active Member
    Join Date
    Nov 2009
    Location
    Markham, Ontario Canada
    Posts
    35
    Rep Power
    5

    Default

    Anyone?? Any Idea's? I need to stop secureserver.net from killing my users with spam///

  3. #3
    dipeshmehta is offline Special Member
    Join Date
    Jun 2010
    Location
    Rajkot, India
    Posts
    160
    Rep Power
    5

    Default

    You should check if your server is openrelay? By default Zimbra installed is not openrelay, but if you have made any configuration changes by altering config files, there might be possibilities that you put your server as an openrelay.

    Also check your network for virus/trogen/malware etc., possibilities are there that one or more clients are infected and sending out mass mails.

    Dipesh

  4. #4
    jorge_s is offline Active Member
    Join Date
    Apr 2011
    Posts
    28
    Rep Power
    4

    Default

    Have you tried blocking the spamming servers with iptables?

    # iptables -t filter -A INPUT -p tcp --dport 25 -s spamming.server.ip.address -j DROP

    it should help at least until you figure out how to block them directly from Zimbra.


    good luck!

  5. #5
    Mike From Markham is offline Active Member
    Join Date
    Nov 2009
    Location
    Markham, Ontario Canada
    Posts
    35
    Rep Power
    5

    Default

    Quote Originally Posted by dipeshmehta View Post
    You should check if your server is openrelay? By default Zimbra installed is not openrelay, but if you have made any configuration changes by altering config files, there might be possibilities that you put your server as an openrelay.

    Also check your network for virus/trogen/malware etc., possibilities are there that one or more clients are infected and sending out mass mails.

    Dipesh
    Hi checked on mxtoolbox and is not an open relay (not has it ever been configured as such)

    All users are connecting via ZWC so im thinking an infection would be somewhat limited... It seems this is all from backscatter and forged address that eventually get bounced back to the 'forged' source.. although the attack is quite large..

    is there a quick way I can check any connections/emails sent not through zwc but smtp auth only(there are a few iphone users)

  6. #6
    Mike From Markham is offline Active Member
    Join Date
    Nov 2009
    Location
    Markham, Ontario Canada
    Posts
    35
    Rep Power
    5

    Default

    Quote Originally Posted by jorge_s View Post
    Have you tried blocking the spamming servers with iptables?

    # iptables -t filter -A INPUT -p tcp --dport 25 -s spamming.server.ip.address -j DROP

    it should help at least until you figure out how to block them directly from Zimbra.


    good luck!
    This is crude but a great idea.... for the short term..

    Thanks...

    Quick question if the attack is from 100's of different server ip but always from *secureserver.net would a wild card format work?

    Apr 26 10:23:01 mail postfix/smtpd[32167]: disconnect from p3plsmtpa01-02.prod.phx3.secureserver.net[72.167.82.82]
    Apr 26 12:15:18 mail postfix/smtpd[519]: connect from p3plsmtpa07-05.prod.phx3.secureserver.net[173.201.192.234]
    Apr 26 12:15:33 mail postfix/smtpd[519]: 721029F000D: client=p3plsmtpa07-05.prod.phx3.secureserver.net[173.201.192.234]
    Apr 26 12:15:34 mail postfix/smtpd[519]: disconnect from p3plsmtpa07-05.prod.phx3.secureserver.net[173.201.192.234]
    Apr 26 12:23:34 mail postfix/smtpd[11490]: connect from p3plsmtp04-01.prod.phx3.secureserver.net[72.167.218.159]
    Apr 26 12:23:34 mail postfix/smtpd[11490]: C01719F0009: client=p3plsmtp04-01.prod.phx3.secureserver.net[72.167.218.1
    Last edited by Mike From Markham; 04-26-2011 at 09:53 AM. Reason: wildcard

  7. #7
    jorge_s is offline Active Member
    Join Date
    Apr 2011
    Posts
    28
    Rep Power
    4

    Default

    Quote Originally Posted by Mike From Markham View Post
    This is crude but a great idea.... for the short term..

    Thanks...

    Quick question if the attack is from 100's of different server ip but always from *secureserver.net would a wild card format work?
    No, it won't, iptables blocks using ip's, not domains. Blocking by domain will require a reverse DNS checkup prior to blocking and that would make IP filtering MUCH more slower rendering it almost useless.
    That should be the job for a proxy type application that works in another level - like Zimbra's antispam filters ...

    maybe someone else can enlighten us about how to use Zimbra's filters for this.

  8. #8
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,368
    Rep Power
    10

    Default

    If you are willing to discard bounce messages in general, you could do something like this:

    Code:
    To reduce this volume of third-party backscatter, we use Postfix header checks on all MTA servers.
    
    
    To implement, add to /opt/zimbra/conf/postfix_header_checks.in the following two lines after making the file writable by the zimbra user.  Don't forget to change the permissions back after editing!
    
    
    /^Content-Type: multipart\/report; report-type=delivery-status\;/ DISCARD No Third-Party DSNs
    /^Content-Type: message\/delivery-status; / DISCARD No Third-Party DSNs
    
    
    To implement immediately, run zmmtactl reload and ignore errors like:
    
    postmap: warning: /opt/zimbra/conf/postfix_header_checks.H21781, line 5: record is in "key: value" format; is this an alias file?
    
    postmap: warning: /opt/zimbra/conf/postfix_header_checks.H21781, line 6: record is in "key: value" format; is this an alias file?
    
    postmap: warning: /opt/zimbra/conf/postfix_header_checks.H21781.db: duplicate entry: "/^content-type:"
    Hope that helps,
    Mark

  9. #9
    Mike From Markham is offline Active Member
    Join Date
    Nov 2009
    Location
    Markham, Ontario Canada
    Posts
    35
    Rep Power
    5

    Default

    Hi Mark,

    This did not seem to work.. Still get 50+ of these a day...

    Heres my header check file

    %%uncomment VAR:zimbraMtaBlockedExtension%%/filename=\"?(.*)\.(%%list VAR:zimbraMtaBlockedExtension |%%)\"?$/
    %%uncomment VAR:zimbraMtaBlockedExtension%% REJECT For security reasons we reject attachments of this type
    %%uncomment VAR:zimbraMtaBlockedExtension%%/^\s*Content-(Disposition|Type).*name\s*=\s*"?(.+\.(%%list VAR:zimbraMtaBlockedExtension |%%))"?\s*$
    %%uncomment VAR:zimbraMtaBlockedExtension%% REJECT Attachment type not allowed. File "$2" has the unacceptable extension "$3"
    /^Content-Type: multipart\/report; report-type=delivery-status\;/ DISCARD No Third-Party DSNs
    /^Content-Type: message\/delivery-status; / DISCARD No Third-Party DSNs


    as per the screen shot ive got 50 of these things just from last nigtht.. Unless I missed something with the above change...
    Mike
    VCP3 & VCP4

  10. #10
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,368
    Rep Power
    10

    Default

    Quote Originally Posted by Mike From Markham View Post
    Hi Mark,

    This did not seem to work.. Still get 50+ of these a day...

    Heres my header check file

    %%uncomment VAR:zimbraMtaBlockedExtension%%/filename=\"?(.*)\.(%%list VAR:zimbraMtaBlockedExtension |%%)\"?$/
    %%uncomment VAR:zimbraMtaBlockedExtension%% REJECT For security reasons we reject attachments of this type
    %%uncomment VAR:zimbraMtaBlockedExtension%%/^\s*Content-(Disposition|Type).*name\s*=\s*"?(.+\.(%%list VAR:zimbraMtaBlockedExtension |%%))"?\s*$
    %%uncomment VAR:zimbraMtaBlockedExtension%% REJECT Attachment type not allowed. File "$2" has the unacceptable extension "$3"
    /^Content-Type: multipart\/report; report-type=delivery-status\;/ DISCARD No Third-Party DSNs
    /^Content-Type: message\/delivery-status; / DISCARD No Third-Party DSNs


    as per the screen shot ive got 50 of these things just from last nigtht.. Unless I missed something with the above change...
    Sounds like you'll want to update or add your own regular expression to the above header checks to catch these.

    Can you post one of the message headers?

    Mark

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. DOS Attack from my local ip? Some BUG?
    By RDMT in forum Administrators
    Replies: 2
    Last Post: 01-03-2011, 11:27 AM
  2. Internal Mail Attack
    By Bufonx in forum Administrators
    Replies: 5
    Last Post: 11-13-2010, 09:12 AM
  3. [SOLVED] help please zmamavisdctl is not running
    By cornbread in forum Administrators
    Replies: 4
    Last Post: 11-21-2007, 12:13 PM
  4. [SOLVED] Unable to receive email 4.5.6:
    By cornbread in forum Installation
    Replies: 8
    Last Post: 09-29-2007, 11:51 AM
  5. Can't send or receive mails from Zimbra
    By ppurama in forum Administrators
    Replies: 4
    Last Post: 11-14-2005, 10:17 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •