Email spoofing 1

3 posts / 0 new
Last post
#1 Thu, 05/30/2013 - 23:34
AllanIT

Email spoofing 1

Hi guys

I am having two email spoofing problems that I will discuss in separate post. The first one is my server has in the last few days started to receive thousands of email spoofs like the ones below. I having fail2ban installed and the IP addresses are being banned for a period of time however every time one is banned another takes its place. I would normally see 0 to 15 bans a day and at the present time I am seeing several thousand.

Can anyone suggest any additional measures I could take to stop/reduce the amount of this type of hacking?

May 31 10:34:26 myserver postfix/smtpd[25959]: connect from unknown[213.174.104.41]
May 31 10:34:27 myserver postfix/smtpd[25959]: NOQUEUE: reject: RCPT from unknown[213.174.104.41]: 550 5.1.1 <eed0fbd@myvserver.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<vociferatesez7@google.com> to=<eed0fbd@myvserver.com.au> proto=ESMTP helo=<[213.174.104.41]>
May 31 10:34:27 myserver postfix/smtpd[25959]: NOQUEUE: reject: RCPT from unknown[213.174.104.41]: 550 5.1.1 <c4fe0b7@myvserver.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<vociferatesez7@google.com> to=<c4fe0b7@myvserver.com.au> proto=ESMTP helo=<[213.174.104.41]>
May 31 10:34:27 myserver postfix/smtpd[25959]: disconnect from unknown[213.174.104.41]
May 31 10:35:24 myserver postfix/smtpd[25959]: warning: hostname Dynamic-IP-186146250207.cable.net.co does not resolve to address 186.146.250.207: Name or service not known
May 31 10:35:24 myserver postfix/smtpd[25959]: connect from unknown[186.146.250.207]
May 31 10:35:25 myserver postfix/smtpd[25959]: NOQUEUE: reject: RCPT from unknown[186.146.250.207]: 550 5.1.1 <e51f54b91d@myvserver.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<digitize1@google.com> to=<e51f54b91d@myvserver.com.au> proto=ESMTP helo=<Dynamic-IP-186146250207.cable.net.co>
May 31 10:35:25 myserver postfix/smtpd[25959]: NOQUEUE: reject: RCPT from unknown[186.146.250.207]: 550 5.1.1 <d1f8ad21e@myvserver.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<digitize1@google.com> to=<d1f8ad21e@myvserver.com.au> proto=ESMTP helo=<Dynamic-IP-186146250207.cable.net.co>
May 31 10:35:26 myserver postfix/smtpd[25959]: NOQUEUE: reject: RCPT from unknown[186.146.250.207]: 550 5.1.1 <b9f7f2bda0@myvserver.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<abstainsq4@google.com> to=<b9f7f2bda0@myvserver.com.au> proto=ESMTP helo=<Dynamic-IP-186146250207.cable.net.co>
May 31 10:35:27 myserver postfix/smtpd[25959]: NOQUEUE: reject: RCPT from unknown[186.146.250.207]: 550 5.1.1 <cfc2e15b3f@myvserver.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<querieduv7@google.com> to=<cfc2e15b3f@myvserver.com.au> proto=ESMTP helo=<Dynamic-IP-186146250207.cable.net.co>
May 31 10:35:27 myserver postfix/smtpd[25959]: disconnect from unknown[186.146.250.207]
May 31 10:36:21 myserver postfix/smtpd[25540]: timeout after RSET from unknown[190.14.32.33]
May 31 10:36:21 myserver postfix/smtpd[25540]: disconnect from unknown[190.14.32.33]
May 31 10:36:27 myserver postfix/smtpd[25959]: warning: hostname adsl-201-190-117-19.une.net.co does not resolve to address 201.190.117.19: Name or service not known
May 31 10:36:27 myserver postfix/smtpd[25959]: connect from unknown[201.190.117.19]
May 31 10:36:28 myserver postfix/smtpd[25959]: NOQUEUE: reject: RCPT from unknown[201.190.117.19]: 550 5.1.1 <d6d9b8eac@myvserver.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<scriptwriters330@google.com> to=<d6d9b8eac@myvserver.com.au> proto=ESMTP helo=<201-190-117-19.une.net.co>
May 31 10:36:28 myserver postfix/smtpd[25959]: NOQUEUE: reject: RCPT from unknown[201.190.117.19]: 550 5.1.1 <af8744bf@myvserver.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<scriptwriters330@google.com> to=<af8744bf@myvserver.com.au> proto=ESMTP helo=<201-190-117-19.une.net.co>
May 31 10:36:28 myserver postfix/smtpd[25959]: NOQUEUE: reject: RCPT from unknown[201.190.117.19]: 550 5.1.1 <d61837e2bd7d472b5b@myvserver.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<scriptwriters330@google.com> to=<d61837e2bd7d472b5b@myvserver.com.au> proto=ESMTP helo=<201-190-117-19.une.net.co>
May 31 10:36:28 myserver postfix/smtpd[25959]: NOQUEUE: reject: RCPT from unknown[201.190.117.19]: 550 5.1.1 <a9265e8a0@myvserver.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<scriptwriters330@google.com> to=<a9265e8a0@myvserver.com.au> proto=ESMTP helo=<201-190-117-19.une.net.co>
May 31 10:36:28 myserver postfix/smtpd[25959]: NOQUEUE: reject: RCPT from unknown[201.190.117.19]: 550 5.1.1 <cbcd2cb0d@myvserver.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<scriptwriters330@google.com> to=<cbcd2cb0d@myvserver.com.au> proto=ESMTP helo=<201-190-117-19.une.net.co>
May 31 10:36:29 myserver postfix/smtpd[25959]: disconnect from unknown[201.190.117.19]
May 31 10:42:49 myserver postfix/smtpd[26196]: connect from pc-96-16-47-190.cm.vtr.net[190.47.16.96]
May 31 10:42:49 myserver postfix/smtpd[26196]: NOQUEUE: reject: RCPT from pc-96-16-47-190.cm.vtr.net[190.47.16.96]: 550 5.1.1 <c48f012248@myvserver.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<lemoningwsi6042@google.com> to=<c48f012248@myvserver.com.au> proto=ESMTP helo=<pc-96-16-47-190.cm.vtr.net>
May 31 10:42:49 myserver postfix/smtpd[26196]: NOQUEUE: reject: RCPT from pc-96-16-47-190.cm.vtr.net[190.47.16.96]: 550 5.1.1 <cb34438d7fedfe81@myvserver.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<lemoningwsi6042@google.com> to=<cb34438d7fedfe81@myvserver.com.au> proto=ESMTP helo=<pc-96-16-47-190.cm.vtr.net>
May 31 10:42:49 myserver postfix/smtpd[26196]: NOQUEUE: reject: RCPT from pc-96-16-47-190.cm.vtr.net[190.47.16.96]: 550 5.1.1 <bfec9fcc42e93e@myvserver.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<lemoningwsi6042@google.com> to=<bfec9fcc42e93e@myvserver.com.au> proto=ESMTP helo=<pc-96-16-47-190.cm.vtr.net>
May 31 10:42:49 myserver postfix/smtpd[26196]: NOQUEUE: reject: RCPT from pc-96-16-47-190.cm.vtr.net[190.47.16.96]: 550 5.1.1 <c45086a4@myvserver.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<lemoningwsi6042@google.com> to=<c45086a4@myvserver.com.au> proto=ESMTP helo=<pc-96-16-47-190.cm.vtr.net>
May 31 10:42:49 myserver postfix/smtpd[26196]: NOQUEUE: reject: RCPT from pc-96-16-47-190.cm.vtr.net[190.47.16.96]: 550 5.1.1 <ee1d55a8ca@myvserver.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<lemoningwsi6042@google.com> to=<ee1d55a8ca@myvserver.com.au> proto=ESMTP helo=<pc-96-16-47-190.cm.vtr.net>
May 31 10:42:50 myserver postfix/smtpd[26196]: disconnect from pc-96-16-47-190.cm.vtr.net[190.47.16.96]
May 31 10:43:54 myserver postfix/smtpd[26196]: connect from pc-71-99-164-190.cm.vtr.net[190.164.99.71]
May 31 10:43:55 myserver postfix/smtpd[26196]: NOQUEUE: reject: RCPT from pc-71-99-164-190.cm.vtr.net[190.164.99.71]: 550 5.1.1 <edc69f398@myvserver.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<betokenb082@google.com> to=<edc69f398@myvserver.com.au> proto=ESMTP helo=<pc-71-99-164-190.cm.vtr.net>
May 31 10:43:55 myserver postfix/smtpd[26196]: NOQUEUE: reject: RCPT from pc-71-99-164-190.cm.vtr.net[190.164.99.71]: 550 5.1.1 <cdbb658792@myvserver.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<betokenb082@google.com> to=<cdbb658792@myvserver.com.au> proto=ESMTP helo=<pc-71-99-164-190.cm.vtr.net>
May 31 10:43:55 myserver postfix/smtpd[26196]: NOQUEUE: reject: RCPT from pc-71-99-164-190.cm.vtr.net[190.164.99.71]: 550 5.1.1 <c156cc82ba632b@myvserver.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<betokenb082@google.com> to=<c156cc82ba632b@myvserver.com.au> proto=ESMTP helo=<pc-71-99-164-190.cm.vtr.net>
May 31 10:43:55 myserver postfix/smtpd[26196]: disconnect from pc-71-99-164-190.cm.vtr.net[190.164.99.71]
Fri, 05/31/2013 - 08:23
andreychek

Howdy,

So just to clarify -- what you're seeing here are hosts that connect, and guess at a email addresses to send email to?

And for some reason lately you've seen a pretty significant increase in the amount of attempts to guess at what email addresses are on your system?

-Eric

Fri, 05/31/2013 - 23:08
AllanIT

Hi Eric

Not really. What we are seeing is a concentrated Spoofing attack as described in http://en.wikipedia.org/wiki/Email_spoofing

What they are doing is contacting my server from another (third party) server (probably hacked) but claiming the email is coming from a google or gmail email address then my server responds to google or gmail with the standard ‘that email address is not available’ response.

Under normal circumstances what happens is after 8 of these spoofs from a single IP Address fail2ban kicks in and the IP Address is banned for a period of time, and that is the end of it. They usually go away. Usually I see 0 to 15 of these bans in one day.

However currently as soon as one IP Address is banned another takes over with out more than a few seconds pause between IP Address. This tag team of spoofing IP Address has been going on 24 hours a day for over a week now.

There should be an authority to report this behaviour to and their IP Address shut down until the activity is stopped permanently, eg they clean up their hacked machine and install firewalls etc.

Topic locked