New SPAM or back scatter?

General eFa discussion
Post Reply
planetcoop
Posts: 11
Joined: 17 Oct 2016 01:24

New SPAM or back scatter?

Post by planetcoop »

I have started to see about 10-20 emails like this per day. Are they NDR, SPAM or some new back scatter?
Attachments
2018-04-11_7-40-25.png
2018-04-11_7-40-25.png (36.97 KiB) Viewed 5028 times
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: New SPAM or back scatter?

Post by pdwalker »

Can you look at one of the messages and post the details?
booola
Posts: 12
Joined: 12 Oct 2017 13:52

Re: New SPAM or back scatter?

Post by booola »

Hi guys,
I've got probably same problem - many emails in OUTBOUND QUEUE:

D7810102039 6793 Thu Jun 21 12:45:22 MAILER-DAEMON
(connect to kidswintercoat.com[87.229.108.136]:25: Connection timed out)
edvardpywfxhpcoufal@kidswintercoat.com

AA084102018 6844 Thu Jun 21 11:58:51 MAILER-DAEMON
(connect to alhashmigroupco.com[185.207.11.245]:25: Connection timed out)
eleonoraxhstbzemach@alhashmigroupco.com

45DB910202F 6836 Thu Jun 21 12:32:50 MAILER-DAEMON
(connect to alhashmigroupco.com[185.207.11.245]:25: Connection timed out)
leonanykmathmoravec@alhashmigroupco.com

4F11D10066E 6662 Thu Jun 21 10:03:43 MAILER-DAEMON
(connect to sharepointsteve.com[87.229.108.136]:25: Connection timed out)
gitahgpqfbmmarek@sharepointsteve.com

E54CD100683 7655 Thu Jun 21 10:05:23 MAILER-DAEMON
(connect to sharepointsteve.com[87.229.108.136]:25: Connection timed out)
ninacfdsyrwmoravec@sharepointsteve.com

E226010202B 6766 Thu Jun 21 12:31:40 MAILER-DAEMON
(connect to alhashmigroupco.com[185.207.11.245]:25: Connection timed out)
ivamrqgstekocourek@alhashmigroupco.com


If I try to grep for example last spam (ivamrqgstekocourek@alhashmigroupco.com) from maillog:

Jun 21 12:31:22 km postfix/cleanup[36389]: 81736102029: hold: header Received: from icy.alhashmigroupco.com (icy.chromefalgar.com [151.106.3.186])??by our.mailserver.cz (Postfix) with ESMTP id 81736102029??for <our@email.cz>; Thu, 21 Jun 2018 12:31:21 +0200 (CE from icy.chromefalgar.com[151.106.3.186]; from=<ivamrqgstekocourek@alhashmigroupco.com> to=<our@email.cz> proto=ESMTP helo=<icy.alhashmigroupco.com>
Jun 21 12:31:24 km MailScanner[8953]: <A> tag found in message 81736102029.A4268 from ivamrqgstekocourek@alhashmigroupco.com
Jun 21 12:31:24 km MailScanner[8953]: HTML Img tag found in message 81736102029.A4268 from ivamrqgstekocourek@alhashmigroupco.com
Jun 21 12:31:25 km postfix/qmgr[2575]: 2C93B10202A: from=<ivamrqgstekocourek@alhashmigroupco.com>, size=4309, nrcpt=1 (queue active)
Jun 21 12:32:10 km postfix/smtp[36406]: E226010202B: to=<ivamrqgstekocourek@alhashmigroupco.com>, relay=none, delay=30, delays=0/0/30/0, dsn=4.4.1, status=deferred (connect to alhashmigroupco.com[185.207.11.245]:25: Connection timed out)
Jun 21 12:39:00 km postfix/smtp[37782]: E226010202B: to=<ivamrqgstekocourek@alhashmigroupco.com>, relay=none, delay=440, delays=410/0.08/30/0, dsn=4.4.1, status=deferred (connect to alhashmigroupco.com[185.207.11.245]:25: Connection timed out)
Jun 21 12:49:00 km postfix/smtp[40103]: E226010202B: to=<ivamrqgstekocourek@alhashmigroupco.com>, relay=none, delay=1040, delays=1010/0.08/30/0, dsn=4.4.1, status=deferred (connect to alhashmigroupco.com[185.207.11.245]:25: Connection timed out)
Jun 21 13:09:00 km postfix/smtp[44557]: E226010202B: to=<ivamrqgstekocourek@alhashmigroupco.com>, relay=none, delay=2240, delays=2210/0.1/30/0, dsn=4.4.1, status=deferred (connect to alhashmigroupco.com[185.207.11.245]:25: Connection timed out)


There are much more automaticly generated domains.
Thank you for suggestions.
jamerson
Posts: 164
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: New SPAM or back scatter?

Post by jamerson »

i remeber me having this before, there where alot of servers trying to relay.
i've configured fail2ban and i noticed it reduced now.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
booola
Posts: 12
Joined: 12 Oct 2017 13:52

Re: New SPAM or back scatter?

Post by booola »

OK, that's good idea. Thank you for suggestion. So do you use configuration for example from here:
viewtopic.php?t=1875
jamerson
Posts: 164
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: New SPAM or back scatter?

Post by jamerson »

yes exactly that one has been configured.
for now i am set.
in the new release AFAIK it will be build in.
if the EFA is behind a firewall, i will suggest to block GEOIP.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
Post Reply