Ok I have an unusual case of what looks some weird type of backscatter spam.
Initially noticed massive exim queue over 50k emails on a server so investigated.
Initially I had nothing to go on, all I could see in the queue was outbound emails been blocked by hotmail because sent to accounts that dont exist, the sender was blank in the headers. The from address was also hotmail.com, so hotmail to hotmail going through this server.
I reduced the queue, but left a few of the rogue emails there for further investigation frozen.
2 hours later the problem comes back, I check emails again and this time the first batch of emails are inbound to the server so I see the real body of the message and a bit more info in the logs. Here is a summary.
1 - The to address is hotmail address, the from address is a hotmail address thats static, the same everytime, so there is no domain at all in the headers that exists on this server.
2 - The helo is invalid a lan ip and the real host of the sender is allowed as the logs say "whitelisted in local domains whitelist"
3 - Checking the domain whitelist file shows the ip isnt there, there is many domains there tho, I resolve every domain name to an ip and none match the spamming ip. Since there is no match for me to remove from the whitelist I have simply had to disable the domain whitelist function for now.
4 - These emails are been generated at a high rate, more than 1 a second and the queue got to 5k+ in an hour.
5 - after disabling the whitelist the emails are been blocked as fake hotmail so it isnt even hotmail servers sending the spam to the server. Without the whitelist there is no extra in sight into this as to how the emails are getting to this server, the sender has somehow managed to hide the real to address from the headers. Or must have faked dns records on the sending host to specifically target this server. Not impossible the server is under some attention possibly from someone determined as its also bombarded 24/7 by .tw ip's with smtp requests that are blocked for no auth.
Am I right if the recipient is hotmail then the way the emails have arrived is someone has faked the hotmail dns records on a server to point to this server? or is there simply a way to hide the actual recipient of an email?
Initially noticed massive exim queue over 50k emails on a server so investigated.
Initially I had nothing to go on, all I could see in the queue was outbound emails been blocked by hotmail because sent to accounts that dont exist, the sender was blank in the headers. The from address was also hotmail.com, so hotmail to hotmail going through this server.
I reduced the queue, but left a few of the rogue emails there for further investigation frozen.
2 hours later the problem comes back, I check emails again and this time the first batch of emails are inbound to the server so I see the real body of the message and a bit more info in the logs. Here is a summary.
1 - The to address is hotmail address, the from address is a hotmail address thats static, the same everytime, so there is no domain at all in the headers that exists on this server.
2 - The helo is invalid a lan ip and the real host of the sender is allowed as the logs say "whitelisted in local domains whitelist"
3 - Checking the domain whitelist file shows the ip isnt there, there is many domains there tho, I resolve every domain name to an ip and none match the spamming ip. Since there is no match for me to remove from the whitelist I have simply had to disable the domain whitelist function for now.
4 - These emails are been generated at a high rate, more than 1 a second and the queue got to 5k+ in an hour.
5 - after disabling the whitelist the emails are been blocked as fake hotmail so it isnt even hotmail servers sending the spam to the server. Without the whitelist there is no extra in sight into this as to how the emails are getting to this server, the sender has somehow managed to hide the real to address from the headers. Or must have faked dns records on the sending host to specifically target this server. Not impossible the server is under some attention possibly from someone determined as its also bombarded 24/7 by .tw ip's with smtp requests that are blocked for no auth.
Am I right if the recipient is hotmail then the way the emails have arrived is someone has faked the hotmail dns records on a server to point to this server? or is there simply a way to hide the actual recipient of an email?