Gettting hammered with Bouncing email

Anyone has ever got that, hundreds of email like the following:

The mail system

<dr.gronauer@freenet.de>: host emig.freenet.de[195.4.92.217] said: 550 Spam
message rejected (in reply to end of DATA command)

Reporting-MTA: dns;
X-Postfix-Queue-ID: 7AF21867A4
X-Postfix-Sender: rfc822; service@xxxxx
Arrival-Date: Thu, 5 Nov 2020 18:55:24 -0500 (EST)

Final-Recipient: rfc822; dr.gronauer@freenet.de
Original-Recipient: rfc822;dr.gronauer@freenet.de
Action: failed
Status: 5.0.0
Remote-MTA: dns; emig.freenet.de
Diagnostic-Code: smtp; 550 Spam message rejected

From Angel Gomez
Date Today 18:55

Lieber Herr,
Ьbertragung von 340.000 Euro Bitcoin-Aktienhandel. in Ihrer Bitcoin-Brieftasche. Kontoinhaber tot, Todesursache, Corona Virus.Country:Deutschland. Offizielle Transaktionscode-Nr.: I / CU / TQW020, Genehmigungsnummer: 018940. Die Leverage Ratio-Rechnung, um den Code zu brechen und das Handelskonto durch Ihren Namen zu ersetzen, betrдgt (300 Euro).

Wir kцnnen das Bitcoin umwandeln und auf Ihr lokales Bankkonto in Deutschland senden. Wenn Sie in der Lage sind, dieses 300-Euro-Geld jetzt zu senden, leiten Sie Ihren Ausweis und Kontakt weiter Nummer .
Nachdem ich die 340.000 Euro ьberwiesen habe, teilen wir sie 50/50.
Warten auf Ihre Kontaktdaten
Mrs. Angel Gomez Manager

Got that for a good 30 minutes, so about 200 email like that. Some response as email rejected because of Spam.

<dl1osl@darc.de>: host w011132c.kasserver.com[85.13.131.248] said: 550 5.1.1
<dl1osl@darc.de>: Recipient address rejected: User unknown in virtual alias
table (in reply to RCPT TO command)

<doc.berto@freenet.de>: host emig.freenet.de[195.4.92.218] said: 550
unrouteable address (in reply to RCPT TO command)

I don’t understand my server is always uptodate with the latest version. There was just new Ubuntu updates this morning that I just installed after I saw this coming in. Restarted the server and is just started again right away, so I’m leaving it off.

Someone is able to bounce off my mail-in-a-box server so my IP will be the spammer right?

Sounds like your email user account was compromised. Be sure to change passwords on the offending account.
And yes, your IP reputation will take a hit as the mails came from your server.

Thanks for the information, so the only password that could be affected would be the one that I see in the returned email?
So service@xxxxx.net would be the compromised password.

Is there any way I can stop MIAB to retry sending email? I’m getting a lot of Delayed Mail message but I don’t want MIAB to retry sending.

So basically what I see here:
X-Sieve: Pigeonhole Sieve 0.4.21 (92477967)
X-Sieve-Redirected-From: service@xxxxx.net
Delivered-To: service@xxxxx.net
Received: from box.xxxxx.net ([127.0.0.1])
by box.xxxxx.net with LMTP id aMtnLfqXpF9+CwAA0ggTEg
for service@xxxxx.net; Thu, 05 Nov 2020 19:25:30 -0500
Received: from mail.pedagogusok.hu (mail.pedagogusok.hu [79.172.249.23])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by box.xxxxx.net (Postfix) with ESMTPS id D8252867CC
for service@xxxxx.net; Thu, 5 Nov 2020 19:25:26 -0500 (EST)
Authentication-Results: box.xxxxx.net; dmarc=none (p=none dis=none) header.from=ispconfig.swnet.hu
Received: by mail.pedagogusok.hu (Postfix)
id EA9EF2C0EA; Fri, 6 Nov 2020 01:25:25 +0100 (CET)
Date: Fri, 6 Nov 2020 01:25:25 +0100 (CET)
From: MAILER-DAEMON@ispconfig.swnet.hu (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender

Ok I was able to remove all email from the Queue with this command:
sudo postsuper -d ALL

This is nuts, I have a 32 character long password for that email. I will have to see how this could have happened. Will setup more SMTP only emails to see which server has a email pass problem.

I recall reading an article some years back that a security executive (maybe CIO?) at Microsoft used to think that password security relied on complexity of the password. However, he decided to actually study the problem and published his findings that the vast majority of password security issues are related to bad guys just getting the password some place else, and only a handful of issues were related to password complexity.

So you probably want to look more closely at where that password is used, including mail clients accessing compromised accounts.

Thanks for the response. Yes, I agree this email is used on many servers, we will find which one has the security issue by creating one specific email for each server.

With a DIFFERENT password on each server – is the key.

Yes of course, new 24 characters pass on each email account.

1 Like

This is nuts how fast this is all happening. Problem started yesterday evening. I stopped the server all night, this morning clean all the mail in the queue 4000 of them.
And already this morning my server score as dropped significantly.
I hope since we fixed it that fast it should not make our IP banned on all spam databases.

Time. It will take time to recover. Many of the important blacklists are indeed dynamic so your reputation will return to normal.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.