Dear all, what step should I take to stop this as there are number of mails like this I received today all of a sudden. I donot have any such user like ebihoegac2233 on my server. but the returning mail shows X-postifix-Sender:rfc822; [email protected]. How I can stop this? what measures should I take? Code: Reporting-MTA: dns; dns1s24dcb.secure-24.net X-Postfix-Queue-ID: 91A658C9C70 X-Postfix-Sender: rfc822; [email protected] Arrival-Date: Thu, 19 Aug 2010 10:19:07 -0400 (EDT) Final-Recipient: rfc822; [email protected] Original-Recipient: rfc822;[email protected] Action: failed Status: 5.1.1 Remote-MTA: dns; a.mx.secure-24.net Diagnostic-Code: smtp; 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in relay recipient table
I think its just spammers spoofing a mailbox which doesnt exist on your domain. Im not entirely sure, but have you tried setting up an SPF record in your DNS?
Yes I am using SPF. LIKE - v=spf1 mx ~all can I make it more stringent. Here I am giving another contents of a returned mail, which even mentions my IP address i.e. 59.90144.48 Hi. This is the qmail-send program at mail.bsa-romania.com. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <[email protected]>: Sorry, no mailbox here by that name. (#5.1.1) --- Below this line is a copy of the message. Return-Path: <[email protected]> Received: (qmail 27607 invoked by uid 507); 19 Aug 2010 16:23:00 +0300 Received: from mywebsolutions.co.in (59.90.144.48) by mail.bsa-romania.com with SMTP; 19 Aug 2010 16:23:00 +0300 From: <[email protected]> To: [email protected] Date: Thu, 19 Aug 2010 18:53:02 +0530 Subject: Don't be a killjoy when the lights go off Reply-To: <[email protected]> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit Check out our latest packages on traditional medical cures http://www.hammerlabs.ru/
Im pretty sure its nothing to worry about, the fact your IP is listed in the header is just the recipients mailserver resolving your domain which has been spoofed anyway. I take it your receiving these failed delivery reports from the admin account of your mailserver?
I am much worried and needs a solutions asap as my ip is also figured after these mails in PBL & CBL database as blacklist and there it is mentioned that Code: This IP is infected (or NATting for a computer that is infected) with the rustock spambot. So Dear HyperAtom and all Senior Members please help me take some measures to resolve it.
This may be more serious than I thought, it seems the mail is really coming from your server. Best thing I can think of temporarily is to use OpenDNS servers which block botnets until some of the other members come up with something. Check your clamav logs + rkhunter for any warnings
