How did this even get to my server
I found a reject this morning and wondered how it even got to my server.
Any ideas.
Also found this in Exim Main Log:
Event: rejected rejected
User: -remote-
Domain:
Sender: iiigeehx@spammer.com
Sent Time: Feb 11, 2015 5:39:05 AM
Sender Host: static.153.7.9.176.clients.your-server.de
Sender IP: 182.72.137.226
Authentication: unauthorized
Spam Score:
Recipient: rnicol@notmydomain.co.uk
Delivered To:
Delivery User:
Delivery Domain: notmydomain.co.uk
Router: reject
Transport: **rejected**
Out Time: Feb 11, 2015 5:39:05 AM
ID: 1YLQ1m-00012R-9q
Delivery Host: static.153.7.9.176.clients.your-server.de
Delivery IP: 182.72.137.226
Size: 0 bytes
Result: JunkMail rejected - (static.153.7.9.176.clients.your-server.de) [182.72.137.226]:3995 is in an RBL.Also found this in Exim Main Log:
2015-02-11 05:38:48 SMTP connection from [182.72.137.226]:3995 (TCP/IP connection count = 1)
2015-02-11 05:38:49 no IP address found for host nsg-static-226.137.72.182.airtel.in (during SMTP connection from [182.72.137.226]:3995)-
Probably a BCC. 0 -
]Probably a BCC.
I never thought of that. Doh. I'll experiment later.0 -
]I never thought of that. Doh. I'll experiment later.
Hello :) Feel free to let us know the outcome after testing. Thank you.0 -
OK. I don't think it was a BCC. I've just modified an email client to a spoofed sender address. I sent an email to my gmail account, and then BCC'd a non existant email on the domain. This hit the server and was bounced, but clearly has my domain in the headers. In the headers above, there is no reference to my domain at all. Event: rejected rejected User: -remote- Domain: Sender: me@spoofed-sender.com - this was my spoofed sender. Sent Time: Feb 12, 2015 3:12:15 PM Sender Host: tkt-001-i390.relay.mailchannels.net Sender IP: xx.xx.xx.xxx Authentication: unauthorized Spam Score: Recipient: dave@mydomain.com - this is my non existent email user Delivered To: Delivery User: mydomain Delivery Domain: mydomain.com Router: reject Transport: **rejected** Out Time: Feb 12, 2015 3:12:15 PM ID: 1YLvRa-000Dic-02 Delivery Host: tkt-001-i390.relay.mailchannels.net Delivery IP: xx.xx.xx.xxx Size: 0 bytes Result: No such person at this address.
I know that the original was rejected (quite rightly so) but i'm confused how it even got in to my server in the first place.0 -
Using dnsstuff.com, i recreated the same scenario. dnsstuff.com never once asked me for an email address when it performed these tests. So if dnsstuff can do it, hackers and spammers certainly can. Maybe the one i was concerned with was a relay attempt ?? Event: rejected rejected User: -remote- Domain: Sender: dnsstufftools@dnsstuff.com Sent Time: Feb 12, 2015 2:28:14 PM Sender Host: adf-b.dnsstuff.com Sender IP: 74.115.12.14 Authentication: unauthorized Spam Score: Recipient: open.relay@example.com Delivered To: Delivery User: Delivery Domain: example.com Router: reject Transport: **rejected** Out Time: Feb 12, 2015 2:28:14 PM ID: 1YLul3-000D7A-s3 Delivery Host: adf-b.dnsstuff.com Delivery IP: 74.115.12.14 Size: 0 bytes Result: Please turn on SMTP Authentication in your mail client. adf-b.dnsstuff.com (dnsstuff.com) [74.115.12.14]:50416 is not permitted to relay through this server without authentication.0 -
Users can still attempt SMTP connections to your server. The logs are simply showing you the SMTP connection attempt was rejected: 015-02-11 05:38:48 SMTP connection from [182.72.137.226]:3995 (TCP/IP connection count = 1) 2015-02-11 05:38:49 no IP address found for host nsg-static-226.137.72.182.airtel.in (during SMTP connection from [182.72.137.226]:3995)
You have to block the IP address in your firewall if you want to block the connection request itself. Thank you.0
Please sign in to leave a comment.
Comments
6 comments