These forums are locked and archived, but all topics have been migrated to the new forum. You can search for this topic on the new forum: Search for Email-spoofing problem? Logs flooded with "User unknown in virtual alias table" on the new forum.
Hi, the last day or so one of my mail-servers has been hammered thousands with this type of requests
Mar 7 14:14:33 ns1 postfix/smtpd[23277]: NOQUEUE: reject: RCPT from unknown[xx.xx.xx.xx]: 550 5.1.1 <randomchars@somedomain.com>: Recipient address rejected: User unknown in virtual alias table; from=<randomchars@somedomain.com> to=<randomchars@somedomain.com> proto=ESMTP helo=<[xx.xx.xx.xx]>
The randomchars part changes of course and the requests come from a wide range of IP-addresses. Even though I have Fail2Ban setup to ban this type of requests, they keep coming.
Are there any recommended ways of handling these types of attacks?
The following topic is related https://www.virtualmin.com/node/27754 - no method is proposed, but I was hoping that maybe something has changed since then (2013).
I have created a catchall address for this domain to take a look at the actual messages being sent:
Received: from localhost by <my-fqdn> with SpamAssassin (version 3.4.0); Wed, 07 Mar 2018 20:14:14 +0000
From: <xxx@somedomain.com>
To: <xxx@somedomain.com>
Subject: Hej!
Date: Thu, 08 Mar 2018 09:15:05 +0600
Message-Id: <5AA0AAB9.8040905@somedomain.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on <my-fqdn>
X-Spam-Flag: YES
X-Spam-Level: *************
X-Spam-Status: Yes, score=13.6 required=5.0 tests=DATE_IN_FUTURE_06_12, HELO_MISC_IP,HTML_MESSAGE,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RCVD_IN_SBL_CSS, RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RDNS_NONE,SPF_SOFTFAIL,URIBL_DBL_ABUSE_SPAM autolearn=no autolearn_force=no version=3.4.0
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_5AA04816.A5A36C2A"
This is a multi-part message in MIME format.
------------=_5AA04816.A5A36C2A
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "<my-fqdn>",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Bedste piger venter på dig i din by! Bare klik pa Bedste
piger venter på dig i din by! Bare klik pa [...]
Content analysis details: (13.6 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
2.0 URIBL_DBL_ABUSE_SPAM Contains an abused spamvertized URL listed in
the Spamhaus DBL blocklist
[URIs: studio-natali.ru]
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
0.0 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
[123.20.174.229 listed in dnsbl.sorbs.net]
3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[123.20.174.229 listed in zen.spamhaus.org]
0.7 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?123.20.174.229>]
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
0.2 HELO_MISC_IP Looking for more Dynamic IP Relays
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
------------=_5AA04816.A5A36C2A
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit
Return-Path: <xx@somedomain.com>
X-Original-To: xx@somedomain.com
Delivered-To: catchall.somedomain@<my-fqdn>
Received: from [123.20.174.229] (unknown [123.20.174.229])
by <my-fqdn> (Postfix) with ESMTP id 1069C147196
for <xx@somedomain.com>; Wed, 7 Mar 2018 20:14:13 +0000 (GMT)
Message-ID: <5AA0AAB9.8040905@somedomain.com>
Date: Thu, 08 Mar 2018 09:15:05 +0600
From: <xx@somedomain.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9pre) Gecko/2008050715 Thunderbird/3.0a1
MIME-Version: 1.0
To: <xx@somedomain.com>
Subject: Hej!
Content-Type: multipart/alternative;
boundary="------------040905080704020109040209"
This is a multi-part message in MIME format.
--------------040905080704020109040209
Content-Type: text/plain; charset=CP-850; format=flowed
Content-Transfer-Encoding: quoted-printable
Bedste piger venter på dig i din by!
Bare klik pa
--------------040905080704020109040209
Content-Type: text/html; charset="CP-850"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv=3D"content-type" content=3D"text/html; =
charset=3DCP-850">
</head>
<body text=3D"#000000" bgcolor=3D"#ffffff">
Bedste piger venter på dig i din by!<br>
<br>
<a =
href=3D"http://studio-natali.ru/OLD-site/components/com_content/views/art=
icle/"><b>Bare klik pa</b></a>
</body>
</html>
--------------040905080704020109040209--
------------=_5AA04816.A5A36C2A--