Stop junk/sapmers from sending email using my server

seven · March 14, 2020, 10:01pm

Hi, i just setup new mail server with MIAB. and i the logs i keep seeing new outgoing email to addresses i never seen. there 0 users on the server and that makes me wonder, dose MIAB have any method to block these scammers?

alento · March 14, 2020, 10:38pm

Can you share these logs you are referring to …

seven · March 14, 2020, 10:49pm

0, delays=29819/30/0.55/0.31, dsn=4.0.0, status=deferred (host smtp.mailgun.org[MAILGUN_IP] said: 421 Mailgun temporarily unavai
lable, please try again later. (in reply to end of DATA command))
Mar 15 01:38:45 box postfix/smtp[4129]: 662EF13E4EF7: to=<mtrotter00@yahoo.com>, relay=smtp.mailgun.org[MAILGUN_IP]:25, delay=2
9850, delays=29819/30/0.55/0.31, dsn=4.0.0, status=deferred (host smtp.mailgun.org[MAILGUN_IP] said: 421 Mailgun temporarily una
vailable, please try again later. (in reply to end of DATA command))
Mar 15 01:38:45 box postfix/smtp[4129]: 662EF13E4EF7: to=<mtrue24@yahoo.com>, relay=smtp.mailgun.org[MAILGUN_IP]:25, delay=2985
0, delays=29819/30/0.55/0.31, dsn=4.0.0, status=deferred (host smtp.mailgun.org[MAILGUN_IP] said: 421 Mailgun temporarily unavai
lable, please try again later. (in reply to end of DATA command))
Mar 15 01:38:45 box postfix/smtp[4129]: 662EF13E4EF7: to=<mtrueblood50@yahoo.com>, relay=smtp.mailgun.org[MAILGUN_IP]:25, delay
=29850, delays=29819/30/0.55/0.31, dsn=4.0.0, status=deferred (host smtp.mailgun.org[MAILGUN_IP] said: 421 Mailgun temporarily u
navailable, please try again later. (in reply to end of DATA command))
Mar 15 01:38:45 box postfix/smtp[4129]: 662EF13E4EF7: to=<mtrufant@yahoo.com>, relay=smtp.mailgun.org[MAILGUN_IP]:25, delay=298
50, delays=29819/30/0.55/0.31, dsn=4.0.0, status=deferred (host smtp.mailgun.org[MAILGUN_IP] said: 421 Mailgun temporarily unava
ilable, please try again later. (in reply to end of DATA command))
Mar 15 01:38:45 box postfix/smtp[4129]: 662EF13E4EF7: to=<mts9@yahoo.com>, relay=smtp.mailgun.org[MAILGUN_IP]:25, delay=29850,
delays=29819/30/0.55/0.31, dsn=4.0.0, status=deferred (host smtp.mailgun.org[MAILGUN_IP] said: 421 Mailgun temporarily unavailab
le, please try again later. (in reply to end of DATA command))
Mar 15 01:38:45 box postfix/smtp[4129]: 662EF13E4EF7: to=<mtsantamaria@yahoo.com>, relay=smtp.mailgun.org[MAILGUN_IP]:25, delay
=29850, delays=29819/30/0.55/0.31, dsn=4.0.0, status=deferred (host smtp.mailgun.org[35```

There is a ton of this.
is not such activity should be blocked?

seven · March 14, 2020, 10:53pm

@alento no body knows about my email server ip. and that makes me wonder too.
then the logs says info@mybox dose not exist. so i created the user. and now i recived a thousand of failed delivery email into my info@mybox. and i notice the sender is info@mybox to my understanding basic block method should be invoked, such if user@mybox is not a real user on my db then should not even be trying to send it.
Dose MIAB have block mechanism for scammers trying to use my server sending emails.

seven · March 14, 2020, 10:58pm

This is a sample of what they are trying to send.


I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<belton.burgess@tds.net>: host mx.tds.net[64.8.70.104] said: 550 5.1.1 [R2]
    Recipient belton.burgess@tds.net does not exist here. (in reply to RCPT TO
    command)

<beltran6mx77@icloud.com>: host mx01.mail.icloud.com[17.57.152.9] said: 550
    5.7.1 [CS01] Message rejected due to local policy. Please visit
    https://support.apple.com/en-us/HT204137 (in reply to end of DATA command)


Reporting-MTA: dns; box.mydomain.com
X-Postfix-Queue-ID: 8277E13E37C0
X-Postfix-Sender: rfc822; info@box.mydomain.com
Arrival-Date: Sat, 14 Mar 2020 13:57:12 +0300 (+03)

Final-Recipient: rfc822; belton.burgess@tds.net
Original-Recipient: rfc822;belton.burgess@tds.net
Action: failed
Status: 5.1.1
Remote-MTA: dns; mx.tds.net
Diagnostic-Code: smtp; 550 5.1.1 [R2] Recipient belton.burgess@tds.net does not
    exist here.

Final-Recipient: rfc822; beltran6mx77@icloud.com
Original-Recipient: rfc822;beltran6mx77@icloud.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; mx01.mail.icloud.com
Diagnostic-Code: smtp; 550 5.7.1 [CS01] Message rejected due to local policy.
    Please visit https://support.apple.com/en-us/HT204137

---------------------------------------------------------------------------
From: Inspector James Edwards
Subject: SHIPMENT OF YOUR CONSIGNMENT TRUNK BOXES VALUED US$4M EACH
Head Officer-in-Charge
Administrative Service Inspection Unit
P.O. Box 20509 Atlanta, GA 30320

ATTENTION: I am James Edwards Head of Inspection Unit United Nations Inspection Agency in Harts field-Jackson International Airport Atlanta, Georgia. During our investigation, I discovered an abandoned shipment through a diplomat from United Kingdom which was transferred from JF Kennedy Airport to our facility here in Atlanta, and when scanned it revealed an undisclosed sum of money in 2 Metal Trunk Boxes weighing approximately 242.508IBS each.

The consignment boxes were abandoned because the Content was not properly declared by the consignee as money rather it was declared as personal Effect/classified document to either avoid diversion by the Shipping agent or confiscation by the relevant authorities. The diplomat's inability to pay for non inspection fees among other things are the reason why the consignment is delayed and abandoned. By my assessment, each of the boxes contains about $4M or more. They are still left in the airport storage facility till today. The Consignments like I said are two metal trunk boxes

I need all the guarantee that I can get from you before I can get involved in this project. Please Reply this email strictly at (edwardsofficials@gmail.com ) with reconfirmation of your Full Name, Home Address, City, State and Telephone number.

Sincerely,

James Edwards,
Head Officer-in-Charge,
Administrative Service Inspection Unit.
E-mail: edwardsofficials@gmail.com```

openletter · March 15, 2020, 12:53am

Are these logs heavily sanitized? Usually Postfix log entries really easy to figure out, but I can’t really tell what’s going on here, though that doesn’t necessarily mean anything.

For example, is this someone else trying to spam using Mailgun as a relay and your domain as the sender? I don’t see the connection entries, but maybe there aren’t for port 25.

Did you do anything to Ubuntu prior to installation?

Is there anything installed to the server besides MiaB?

Do you have any devices configured to use MiaB, and could one of them be infected and sending spam?

system · March 22, 2020, 12:53am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.