Spammers mail bouncing back to my server

UpAllNight

Verified User
Joined
May 23, 2005
Messages
45
My server is getting pounded with thousands of emails per hour that are bounces from a spammer. The spammer is using bogus email addresses from 2 domains on the server in the spam they are sending out. The 2 domains are mine so I know it's not someone sending it out from my server.

All of the bounces from their spam are returning to me. I actually created accounts for a couple of the email addresses they have been using and checked the headers in some of the emails. Looking at the IPs in the emails, they appear to be originating from all over the world.

The spam message appears to be trying to pump up a California company's stock:

Reynaldo's Mexican Foods (RYNL)

Anyone have any ideas on what I can do about this? It's killing my server and I hate to see what my bandwidth costs are going to be.

Thanks,
David
 
No, there is no form. The spammer is using bogus email account names from 2 domains on my server as fake sender email addresses for their spam. And all the other servers that are rejecting the mail are bounding it back to my server.
 
If there are two specific addresses involved, set up an alias for each one to

:fail:

That way your server will refuse to accept the emails. AFAIK that is the method that will use the least resources on your server.
 
Mike is right; that's about all you can do.

Now you can see why our SpamBlocker system refuses to accept known spam rather than accepting it and returning it later as mailscanners do. We don't want our DA boxes to be part of the problem.

The recipients who are using a SpamBlocker type solution aren't sending the forged spam to you.

According to rules of netiquette, any sever sending you back the returns is guilty of spamming and if you report them to SpamCop, they'll get blocked for spamming you. And rightfully so, since their servers should be smart enough to know you didn't send the email.

What we often do is create a script to send these emails back to the postmaster at the sending domain, attached to a short email explaining that they're spamming us by presuming we sent the spam with the forged addresses, and that we're rightfully reporting the spam back to them, and that if it doesn't stop we'll have them added to both SpamCop and to Sorbs. SpamCop is relatively easy to get off of, but to get off Sorbs actually costs money.

Of course you shouldn't do that unless you're a Sorbs authorized submitter who can add to their blocklists.

Jeff
 
The spam bombardment continues.

The spammer is using an endless variety of random dictionary words for the email addresses like:

[email protected]
[email protected]
[email protected]

None of them are valid email addresses. I've even gone so far as to disable mail services on the 2 domains and from the DA CP set them to not handle mail from the domains, and to remove their mx records.

Interestingly, I did some checking on the company whose stock is being promoted in the spam. Seems they have been mixed up in a similar scam using junk fax spam. I actually called the company and spoke with a guy there. He said they're not doing it, but they're not doing anything to find out who is and he didn't seem particularly bothered that it was happening.
 
me too

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:

[email protected]
Unrouteable address

------ This is a copy of the message, including all the headers. ------

Return-path: <[email protected]>
Received: from apache by reseller.servertweak.com with local (Exim 4.60)
(envelope-from <[email protected]>)
id 1EsZM6-0002Ti-J5; Fri, 30 Dec 2005 21:32:38 -0800
To: [email protected]
Subject: [email protected]
MIME-Version: 1.0
From: "[email protected]" <mirrors
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: tax return. lease contact us beforehand to let us
Message-Id: <[email protected]>
Date: Fri, 30 Dec 2005 21:32:38 -0800

57f324094b487c167dd7320ba2b8f0b8
.>
Reply-To: "[email protected]" <mirrors
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: tax return. lease contact us beforehand to let us
bcc: [email protected]

57f324094b487c167dd7320ba2b8f0b8
.>
Content-type: text/plain; charset=iso-8859-1


[email protected]


--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.8/215 - Release Date: 12/27/2005
 
how can i stop this ?


servertweak said:
me too

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:

[email protected]
Unrouteable address

------ This is a copy of the message, including all the headers. ------

Return-path: <[email protected]>
Received: from apache by reseller.servertweak.com with local (Exim 4.60)
(envelope-from <[email protected]>)
id 1EsZM6-0002Ti-J5; Fri, 30 Dec 2005 21:32:38 -0800
To: [email protected]
Subject: [email protected]
MIME-Version: 1.0
From: "[email protected]" <mirrors
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: tax return. lease contact us beforehand to let us
Message-Id: <[email protected]>
Date: Fri, 30 Dec 2005 21:32:38 -0800

57f324094b487c167dd7320ba2b8f0b8
.>
Reply-To: "[email protected]" <mirrors
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: tax return. lease contact us beforehand to let us
bcc: [email protected]

57f324094b487c167dd7320ba2b8f0b8
.>
Content-type: text/plain; charset=iso-8859-1


[email protected]


--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.8/215 - Release Date: 12/27/2005
 
i'm receiving a lot of spam too, more than 200MB per Hour
 
First a reply to UpAllNight:

You never posted all the headers from one of the spam emails, as did servertweak.

Please do.

And now a reply to servertweak:

Your headers indicate that the spam is coming from a php program or form on your server; probably one owned by admin or [email protected] owned by a user named into6404.

And now a reply to sspt:

Me too responses generally don't get replies because they don't offer any clue as to why the problem may be occurring.

If you can post the headers from the outgoing spam, that'll help us help you.

Jeff
 
Hi Jeff,

I'm assuming you meant headers from the original spam, not the headers from the mail server returning the bounced spam. Here are 2 headers from the original spam as included by the mail server bouncing them back to me. My domain that is being falsely used is flagart.com. The other domain of mine they are using is 247max.com.

-------------- START 1 --------------
Hi. This is the qmail-send program at secure.hummer6.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<[email protected]>:
This address no longer accepts mail.

--- Below this line is a copy of the message.

Return-Path: <[email protected]>
Received: (qmail 14505 invoked from network); 29 Dec 2005 01:00:26 -0000
Received: from unknown (HELO 201.240.246.224) (201.240.246.224)
by hummer6.net with SMTP; 29 Dec 2005 01:00:26 -0000
Received: from [192.168.40.200] (port=21786 helo=ktnckyiu)
by 201.240.246.224 with esmtp
id 1Erm1X-0002l8-Y5
for [email protected]; Wed, 28 Dec 2005 19:52:07 -0500
Date: Wed, 28 Dec 2005 19:58:55 -0500
From: <[email protected]>
X-Mailer: The Bat! (v3.5) Professional
X-Priority: 3 (Normal)
Message-ID: <[email protected]>
To: <[email protected]>
Subject: news report
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="=_373b352f7ba38ba5a57013defbbf3ea3"
X-Spam: Not detected

--=_373b352f7ba38ba5a57013defbbf3ea3
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable

<img src=3Dcid:42ddbe071279dd3568b540320c38562a>

--=_373b352f7ba38ba5a57013defbbf3ea3
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="hrav.gif"
Content-ID: <42ddbe071279dd3568b540320c38562a>
-------------- END 1 --------------


-------------- START 2 --------------
Hi. This is the qmail-send program at brick.suitage.jp.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<[email protected]>:
Sorry. Although I'm listed as a best-preference MX or A for that host,
it isn't in my control/locals file, so I don't treat it as local. (#5.4.6)

--- Below this line is a copy of the message.

Return-Path: <[email protected]>
Received: (qmail 25518 invoked from network); 29 Dec 2005 01:04:10 -0000
Received: from unknown (HELO 201-248-56-68.genericrev.cantv.net) (201.248.56.68)
by brick.suitage.jp with SMTP; 29 Dec 2005 01:04:10 -0000
Received: from [192.168.40.200] (port=21780 helo=dqlkklj)
by 201-248-56-68.genericrev.cantv.net with esmtp
id 1Erm0a-0005th-B6
for [email protected]; Wed, 28 Dec 2005 13:51:08 -1100
Date: Wed, 28 Dec 2005 21:04:02 -0400
From: <[email protected]>
X-Mailer: The Bat! (v3.5) Professional
X-Priority: 3 (Normal)
Message-ID: <[email protected]>
To: <[email protected]>
Subject: news report
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="=_94398f05b5256b1bf68306a1b2d85cfa"
X-Spam: Not detected

--=_94398f05b5256b1bf68306a1b2d85cfa
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable

<img src=3Dcid:eab00e6f70825e05ef9ce353e3fa8f43>

--=_94398f05b5256b1bf68306a1b2d85cfa
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="zyjqix.gif"
Content-ID: <eab00e6f70825e05ef9ce353e3fa8f43>
-------------- END 2 --------------
 
Last edited:
Still trying to find out why / how the spammers picked be for their spam barage which has gone on non-stop for well over a week now. Poking around in some of the server logs I found these:

[root]# grep "66.199.162.235" secure.2
Dec 19 17:12:11 lion xinetd[10623]: START: imap pid=23047 from=66.199.162.235
Dec 19 17:12:11 lion xinetd[10623]: START: imap pid=23048 from=66.199.162.235
Dec 19 17:12:13 lion xinetd[10623]: START: imap pid=23049 from=66.199.162.235
Dec 19 17:12:13 lion xinetd[10623]: START: imap pid=23050 from=66.199.162.235
Dec 19 17:12:13 lion xinetd[10623]: START: imap pid=23051 from=66.199.162.235
Dec 19 17:12:13 lion xinetd[10623]: START: imap pid=23052 from=66.199.162.235
Dec 19 17:12:13 lion xinetd[10623]: START: imap pid=23053 from=66.199.162.235
Dec 19 17:12:13 lion xinetd[10623]: START: imap pid=23054 from=66.199.162.235
Dec 19 17:12:13 lion xinetd[10623]: START: imap pid=23055 from=66.199.162.235
Dec 19 17:12:13 lion xinetd[10623]: START: imap pid=23056 from=66.199.162.235
Dec 19 17:12:16 lion xinetd[10623]: START: imap pid=23057 from=66.199.162.235
Dec 19 17:12:16 lion xinetd[10623]: START: imap pid=23058 from=66.199.162.235
Dec 19 17:12:16 lion xinetd[10623]: START: imap pid=23059 from=66.199.162.235
Dec 19 17:12:16 lion xinetd[10623]: START: imap pid=23060 from=66.199.162.235
Dec 19 17:12:16 lion xinetd[10623]: START: imap pid=23061 from=66.199.162.235
Dec 19 17:12:16 lion xinetd[10623]: START: imap pid=23062 from=66.199.162.235
Dec 19 17:12:17 lion xinetd[10623]: START: imap pid=23063 from=66.199.162.235
Dec 19 17:12:17 lion xinetd[10623]: START: imap pid=23064 from=66.199.162.235
Dec 19 17:12:17 lion xinetd[10623]: START: imap pid=23065 from=66.199.162.235
Dec 19 17:12:17 lion xinetd[10623]: START: imap pid=23066 from=66.199.162.235
Dec 19 17:12:17 lion xinetd[10623]: START: imap pid=23067 from=66.199.162.235
Dec 19 17:12:18 lion xinetd[10623]: START: imap pid=23068 from=66.199.162.235
Dec 19 17:12:18 lion xinetd[10623]: START: imap pid=23069 from=66.199.162.235
Dec 19 17:12:18 lion xinetd[10623]: START: imap pid=23070 from=66.199.162.235
Dec 19 17:12:18 lion xinetd[10623]: START: imap pid=23071 from=66.199.162.235
Dec 19 17:12:18 lion xinetd[10623]: START: imap pid=23072 from=66.199.162.235



[root]# grep "66.199.162.235" maillog.2
Dec 19 17:12:13 lion imapd[23053]: imap service init from 66.199.162.235
Dec 19 17:12:16 lion imapd[23047]: imap service init from 66.199.162.235
Dec 19 17:12:16 lion imapd[23048]: imap service init from 66.199.162.235
Dec 19 17:12:18 lion imapd[23049]: imap service init from 66.199.162.235
Dec 19 17:12:18 lion imapd[23050]: imap service init from 66.199.162.235
Dec 19 17:12:18 lion imapd[23051]: imap service init from 66.199.162.235
Dec 19 17:12:18 lion imapd[23052]: imap service init from 66.199.162.235
Dec 19 17:12:18 lion imapd[23055]: imap service init from 66.199.162.235
Dec 19 17:12:18 lion imapd[23054]: imap service init from 66.199.162.235
Dec 19 17:12:18 lion imapd[23053]: Null command before authentication host=[66.199.162.235]
Dec 19 17:12:18 lion imapd[23053]: Null command before authentication host=[66.199.162.235]
Dec 19 17:12:18 lion imapd[23053]: Command stream end of file, while reading line user=??? host=[66.199.162.235]
Dec 19 17:12:18 lion imapd[23056]: imap service init from 66.199.162.235
Dec 19 17:12:21 lion imapd[23057]: imap service init from 66.199.162.235
Dec 19 17:12:21 lion imapd[23058]: imap service init from 66.199.162.235
Dec 19 17:12:21 lion imapd[23059]: imap service init from 66.199.162.235
Dec 19 17:12:21 lion imapd[23060]: imap service init from 66.199.162.235
Dec 19 17:12:21 lion imapd[23061]: imap service init from 66.199.162.235
Dec 19 17:12:22 lion imapd[23062]: imap service init from 66.199.162.235
Dec 19 17:12:22 lion imapd[23047]: Null command before authentication host=[66.199.162.235]
Dec 19 17:12:22 lion imapd[23048]: Null command before authentication host=[66.199.162.235]
Dec 19 17:12:22 lion imapd[23063]: imap service init from 66.199.162.235
Dec 19 17:12:22 lion imapd[23064]: imap service init from 66.199.162.235
Dec 19 17:12:22 lion imapd[23065]: imap service init from 66.199.162.235
Dec 19 17:12:22 lion imapd[23066]: imap service init from 66.199.162.235
Dec 19 17:12:23 lion imapd[23067]: imap service init from 66.199.162.235
Dec 19 17:12:23 lion imapd[23068]: imap service init from 66.199.162.235
Dec 19 17:12:23 lion imapd[23069]: imap service init from 66.199.162.235
Dec 19 17:12:23 lion imapd[23070]: imap service init from 66.199.162.235
Dec 19 17:12:23 lion imapd[23049]: Null command before authentication host=[66.199.162.235]
Dec 19 17:12:23 lion imapd[23071]: imap service init from 66.199.162.235
Dec 19 17:12:23 lion imapd[23072]: imap service init from 66.199.162.235
Dec 19 17:12:23 lion imapd[23050]: Null command before authentication host=[66.199.162.235]
Dec 19 17:12:23 lion imapd[23051]: Null command before authentication host=[66.199.162.235]
Dec 19 17:12:23 lion imapd[23054]: Null command before authentication host=[66.199.162.235]
Dec 19 17:12:23 lion imapd[23052]: Null command before authentication host=[66.199.162.235]
Dec 19 17:12:23 lion imapd[23055]: Null command before authentication host=[66.199.162.235]
Dec 19 17:12:24 lion imapd[23056]: Null command before authentication host=[66.199.162.235]
Dec 19 17:12:26 lion imapd[23059]: Null command before authentication host=[66.199.162.235]
Dec 19 17:12:26 lion imapd[23057]: Null command before authentication host=[66.199.162.235]
Dec 19 17:12:26 lion imapd[23058]: Null command before authentication host=[66.199.162.235]
Dec 19 17:12:26 lion imapd[23060]: Null command before authentication host=[66.199.162.235]
Dec 19 17:12:26 lion imapd[23061]: Null command before authentication host=[66.199.162.235]
Dec 19 17:12:27 lion imapd[23062]: Null command before authentication host=[66.199.162.235]
Dec 19 17:12:27 lion imapd[23063]: Null command before authentication host=[66.199.162.235]
Dec 19 17:12:28 lion imapd[23064]: Null command before authentication host=[66.199.162.235]
Dec 19 17:12:28 lion imapd[23066]: Null command before authentication host=[66.199.162.235]
Dec 19 17:12:28 lion imapd[23065]: Null command before authentication host=[66.199.162.235]
Dec 19 17:12:28 lion imapd[23067]: Null command before authentication host=[66.199.162.235]
Dec 19 17:12:28 lion imapd[23068]: Null command before authentication host=[66.199.162.235]
Dec 19 17:12:28 lion imapd[23069]: Null command before authentication host=[66.199.162.235]
Dec 19 17:12:28 lion imapd[23072]: Null command before authentication host=[66.199.162.235]
Dec 19 17:12:28 lion imapd[23070]: Null command before authentication host=[66.199.162.235]
Dec 19 17:12:28 lion imapd[23071]: Null command before authentication host=[66.199.162.235]

Can anyone elnlighten me as to what these entries are for? I know that logging into squirrelmail for domains on the site come on on 127.0.0.1. What else would these be coming from?

Thanks,
David
 
Responding to your first email, unless your server uses these IP#s:

201.240.246.224
201.248.56.68

then the spam is not coming from you.

And there's nothing you can do about it. What you can and should do is notify the postmaster at hummer6.net that he shouldn't be responding to you since your server didn't send the spam he's responding to. And that he should respond to the sender's server.

Of course by default qmail can't do that, and most postmasters using it will have no idea how to patch it so it can.

So then you can report hummer6.net to the RFC Ignorant group (you can google it) and they'll list him and it will become his problem. Of course it will remain your problem as well.

Same for brick.suitage.jp; they also run qmail, and have the same problem.

Just another reason not to use qmail :mad: .

To answer your second email, perhaps these lines are caused by others trying to either legitimately or illegitimately trying to log into your imap server.

Jeff
 
Hi Jeff,

I really appreciate your help and expertise with this.

No, they're not my IP#s. Unfortuanatly those and their domains are only 2 of literally thousands of domains that this has happened with. I shut down mail service on both of my domains so now I'm only seing my server rejecting all the mail that the spammers are trying to send through my box (If I'm reading the logs right).


2006-01-02 18:01:06 H=mail3.smartmailservers.com [69.57.4.13] F=<> rejected RCPT <[email protected]>: authentication required
2006-01-02 18:01:06 H=mail3.smartmailservers.com [69.57.4.13] incomplete transaction (QUIT) from <>


As for the imap, one of the sections is from the secure log. Is that indicating that they were able to access imap service on my box?


Jan 2 11:36:58 lion xinetd[9670]: START: imap pid=8914 from=209.176.194.25
Jan 2 11:36:58 lion xinetd[9670]: START: imap pid=8915 from=209.176.194.25
Jan 2 11:36:58 lion xinetd[9670]: START: imap pid=8916 from=209.176.194.25


I don't have any clients associated with the ip address show in the logs or the half dozen other ip#s with similar entries in my secure and exim mainlog.

Thanks,
David
 
Same problem here.

Hate to 'me too', but me too.

I have a domain that I have had as a mail funnel for years, by bad luck, they are using this domain as jumping point for this crappy stock spam.

I was :fail:'ing all mail returning to me, but it is truly extensive a library of usernames it is using. No chance to block or /dev/null them all.

I went into DA's mail filter at http://www.<my domain>.net:2222/CMD_EMAIL_FILTER?domain=<domain>.net and was putting filters in like:

Block e-mail containing this word: Mail delivery failed:
Block e-mail containing this word: Returned mail:
Block e-mail containing this word: Undeliverable mail:
Block e-mail containing this word: Undelivered Mail Returned to Sender
Block e-mail containing this word: Non delivery report: 5.1.1
Block e-mail containing this word: Delivery Status Notification (Failure)
Block e-mail containing this word: failure notice

But that wasn't working at all. Why isn't that working?

So I have Outlook filtering somewhat, but it's coming in fast & furious.

Can anyone figure out how to make the above filtering work in DA? It would be the solution to those of us that use email domains as email funnels.

Thanks,
-WC-
 
I've never studied the DA mail filters but I know they do work under at least certain circumstances.

I don't have any easy answers.

Perhaps someone else will know why the filters are failing to filter.

Jeff
 
I went into DA's mail filter at http://www.<my domain>.net:2222/CMD_EMAIL_FILTER?domain=<domain>.net and was putting filters in like:

Block e-mail containing this word: Mail delivery failed:
Block e-mail containing this word: Returned mail:
Block e-mail containing this word: Undeliverable mail:
Block e-mail containing this word: Undelivered Mail Returned to Sender
Block e-mail containing this word: Non delivery report: 5.1.1
Block e-mail containing this word: Delivery Status Notification (Failure)
Block e-mail containing this word: failure notice

But that wasn't working at all. Why isn't that working?
Without reading this topic, I've done the same thing just right now; also I'm experiencing the same troubles as you did. Did you find any solution for it? Maybe it has to do with Exim somewhere always trying to accept mail from mailer-daemons?
 
Superdeboer im having the same problem atm. Dont know how to stop it :/
 
whe have now some serves that not accept mail of servers that hasn't reverse dns.
60% of the spam and bounces are gone.

(hmm, but some good mails are gone also)
 
Back
Top