Spam to non existent emails

Use this forum for discussions about SpamAssassin and anti-spam in general.
Post Reply
dreamscafe
New user
New user
Posts: 5
Joined: 2022-05-13 10:07

Spam to non existent emails

Post by dreamscafe » 2022-05-13 10:17

Hello all! Help with settings please?
Sometimes somebody try to send spam to my mail server mydomain.com, to non-existent mailboxes.
How I can get rid of them?
Log example
"SMTPD" 5616 198271 "2022-05-12 23:58:27.612" "109.201.22.212" "SENT: 220 mydomain.com"
"SMTPD" 5592 198271 "2022-05-12 23:58:27.680" "109.201.22.212" "RECEIVED: EHLO smtp3.mapnaturbine.com"
"SMTPD" 5592 198271 "2022-05-12 23:58:27.681" "109.201.22.212" "SENT: 250-mydomain.com[nl]250-SIZE 307200000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 5616 198271 "2022-05-12 23:58:27.753" "109.201.22.212" "RECEIVED: MAIL FROM:<> SIZE=17604"
"SMTPD" 5616 198271 "2022-05-12 23:58:27.754" "109.201.22.212" "SENT: 250 OK"
"SMTPD" 5600 198271 "2022-05-12 23:58:27.832" "109.201.22.212" "RECEIVED: RCPT TO:<nxskcpy@mydomain.com>"
"SMTPD" 5600 198271 "2022-05-12 23:58:27.835" "109.201.22.212" "SENT: 550 Unknown user"
"SMTPD" 5600 198271 "2022-05-12 23:58:27.906" "109.201.22.212" "RECEIVED: QUIT"
"SMTPD" 5600 198271 "2022-05-12 23:58:27.952" "109.201.22.212" "SENT: 221 goodbye"
"SMTPD" 5616 198276 "2022-05-12 23:58:34.670" "195.29.150.139" "SENT: 220 mydomain.com"
"SMTPD" 5620 198276 "2022-05-12 23:58:34.752" "195.29.150.139" "RECEIVED: EHLO mailout2.t-com.hr"
"SMTPD" 5620 198276 "2022-05-12 23:58:34.771" "195.29.150.139" "SENT: 250-mydomain.com[nl]250-SIZE 307200000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 5616 198276 "2022-05-12 23:58:34.856" "195.29.150.139" "RECEIVED: MAIL FROM:<>"
"SMTPD" 5616 198276 "2022-05-12 23:58:34.858" "195.29.150.139" "SENT: 250 OK"
"SMTPD" 5592 198276 "2022-05-12 23:58:34.940" "195.29.150.139" "RECEIVED: RCPT TO:<hjsziwgx@mydomain.com>"
"SMTPD" 5592 198276 "2022-05-12 23:58:34.943" "195.29.150.139" "SENT: 550 Unknown user"
"SMTPD" 5620 198276 "2022-05-12 23:58:35.128" "195.29.150.139" "RECEIVED: RSET"
"SMTPD" 5620 198276 "2022-05-12 23:58:35.129" "195.29.150.139" "SENT: 250 OK"
"SMTPD" 5592 198276 "2022-05-12 23:58:35.210" "195.29.150.139" "RECEIVED: QUIT"
"SMTPD" 5592 198276 "2022-05-12 23:58:35.211" "195.29.150.139" "SENT: 221 goodbye"
"SMTPD" 5616 198278 "2022-05-12 23:58:36.029" "87.120.176.62" "SENT: 220 mydomain.com"
"SMTPD" 5620 198278 "2022-05-12 23:58:36.113" "87.120.176.62" "RECEIVED: EHLO web24.netinfo.bg"
"SMTPD" 5620 198278 "2022-05-12 23:58:36.138" "87.120.176.62" "SENT: 250-mydomain.com[nl]250-SIZE 307200000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 5600 198278 "2022-05-12 23:58:36.221" "87.120.176.62" "RECEIVED: MAIL FROM:<>"
"SMTPD" 5600 198278 "2022-05-12 23:58:36.223" "87.120.176.62" "SENT: 250 OK"
"SMTPD" 5616 198278 "2022-05-12 23:58:36.308" "87.120.176.62" "RECEIVED: RCPT TO:<wyspsu@mydomain.com>"
"SMTPD" 5616 198278 "2022-05-12 23:58:36.310" "87.120.176.62" "SENT: 550 Unknown user"
"SMTPD" 5620 198278 "2022-05-12 23:58:36.395" "87.120.176.62" "RECEIVED: RSET"
"SMTPD" 5620 198278 "2022-05-12 23:58:36.397" "87.120.176.62" "SENT: 250 OK"
"SMTPD" 5616 198278 "2022-05-12 23:58:36.481" "87.120.176.62" "RECEIVED: QUIT"
"SMTPD" 5616 198278 "2022-05-12 23:58:36.482" "87.120.176.62" "SENT: 221 goodbye"
"SMTPD" 5616 198291 "2022-05-12 23:58:51.628" "37.26.170.60" "SENT: 220 mydomain.com"
"SMTPD" 5592 198291 "2022-05-12 23:58:51.744" "37.26.170.60" "RECEIVED: EHLO freenet.am"
"SMTPD" 5592 198291 "2022-05-12 23:58:51.746" "37.26.170.60" "SENT: 250-mydomain.com[nl]250-SIZE 307200000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 5616 198291 "2022-05-12 23:58:51.861" "37.26.170.60" "RECEIVED: MAIL From:<>"
"SMTPD" 5616 198291 "2022-05-12 23:58:51.864" "37.26.170.60" "SENT: 250 OK"
"SMTPD" 5592 198291 "2022-05-12 23:58:51.979" "37.26.170.60" "RECEIVED: RCPT To:<xujoi@mydomain.com>"
"SMTPD" 5592 198291 "2022-05-12 23:58:51.983" "37.26.170.60" "SENT: 550 Unknown user"
"SMTPD" 5620 198291 "2022-05-12 23:58:52.099" "37.26.170.60" "RECEIVED: DATA"
"SMTPD" 5620 198291 "2022-05-12 23:58:52.100" "37.26.170.60" "SENT: 503 Must have sender and recipient first."
"SMTPD" 5616 198291 "2022-05-12 23:58:52.215" "37.26.170.60" "RECEIVED: RSET"
"SMTPD" 5616 198291 "2022-05-12 23:58:52.216" "37.26.170.60" "SENT: 250 OK"
"SMTPD" 5592 198291 "2022-05-12 23:58:52.350" "37.26.170.60" "RECEIVED: QUIT"
"SMTPD" 5592 198291 "2022-05-12 23:58:52.351" "37.26.170.60" "SENT: 221 goodbye"

User avatar
jimimaseye
Moderator
Moderator
Posts: 9539
Joined: 2011-09-08 17:48

Re: Spam to non existent emails

Post by jimimaseye » 2022-05-13 12:15

You dont really need to do anything. That is the world of the internet - you will see these attampts all the time.

You can (if you wish) review your AUTOBAN settings. Also, implement Antispam feature (such as spamassassin) just incase they do manage to get through.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

dreamscafe
New user
New user
Posts: 5
Joined: 2022-05-13 10:07

Re: Spam to non existent emails

Post by dreamscafe » 2022-05-13 12:28

jimimaseye wrote:
2022-05-13 12:15
You dont really need to do anything. That is the world of the internet - you will see these attampts all the time.

You can (if you wish) review your AUTOBAN settings. Also, implement Antispam feature (such as spamassassin) just incase they do manage to get through.
It's sad :( Thanks!
May I ask another question? It's a little about something else and requires a little explanation.
My domain is not included in any spam lists.
But with such "attacks" my mail level grows several times on the talosintelligence.com service, , which is why my letters stop accepting @gmail.com
Only Google and only when I have an elevated mail level on this particular service. Don't know what to do with it?

palinka
Senior user
Senior user
Posts: 3588
Joined: 2017-09-12 17:57

Re: Spam to non existent emails

Post by palinka » 2022-05-13 13:09

dreamscafe wrote:
2022-05-13 12:28
My domain is not included in any spam lists.
Did you check your IP?

[/quote]
But with such "attacks" my mail level grows several times on the talosintelligence.com service, , which is why my letters stop accepting @gmail.com
Only Google and only when I have an elevated mail level on this particular service. Don't know what to do with it?
[/quote]

These are all bounce messages. Someone - maybe you - is sending spam from your domain. The messages bounce and you receive the bounces because your mx points to your server. Those spam messages could be spoofed or it could be a bot on your server or internal network. Do you have SPF set to reject? Do you have DMARC set up?

palinka
Senior user
Senior user
Posts: 3588
Joined: 2017-09-12 17:57

Re: Spam to non existent emails

Post by palinka » 2022-05-13 13:19

Also, I just searched for my domain on talosintelligence.com and literally everything was wrong, from owner of the domain to whois to fwd/rvs dns testing.

The only thing that was correct was the geoip.

There's no explanation as to how they get their "mail volume" data. I assume its scraped from cisco routers sending data back to the mothership. What else are they collecting?

edit - and yeah, if they're scraping data and that's how they know your volume goes up, then it increases the likelihood that its your IP sending spam. You should check your logs and run antivirus sweep on your network.

dreamscafe
New user
New user
Posts: 5
Joined: 2022-05-13 10:07

Re: Spam to non existent emails

Post by dreamscafe » 2022-05-13 14:21

palinka wrote:
2022-05-13 13:09
Did you check your IP?

These are all bounce messages. Someone - maybe you - is sending spam from your domain. The messages bounce and you receive the bounces because your mx points to your server. Those spam messages could be spoofed or it could be a bot on your server or internal network. Do you have SPF set to reject? Do you have DMARC set up?
Yes, of course, I check my address and domain in different spam lists, everything is clean.
I also configured all records. I spent a lot of time setting it all up.

Code: Select all

Status Ok	DMARC Record Published	DMARC Record found
Status Ok	DMARC Syntax Check	The record is valid
Status Ok	DMARC External Validation	All external domains in your DMARC record are giving permission to send them DMARC reports.
Status Ok	DMARC Multiple Records	Multiple DMARC records corrected to a single record.
Status Ok	DMARC Policy Not Enabled	DMARC Quarantine/Reject policy enabled

Status Ok	DMARC Record Published	DMARC Record found
Status Ok	DMARC Policy Not Enabled	DMARC Quarantine/Reject policy enabled
Status Ok	DNS Record Published	DNS Record found

Status Ok	DKIM Record Published	DKIM Record found
Status Ok	DKIM Syntax Check	The record is valid
Status Ok	DKIM Public Key Check	Public key is present

Status Ok	SPF Record Published	SPF Record found
Status Ok	SPF Record Deprecated	No deprecated records found
Status Ok	SPF Multiple Records	Less than two records found
Status Ok	SPF Contains characters after ALL	No items after 'ALL'.
Status Ok	SPF Syntax Check	The record is valid
Status Ok	SPF Included Lookups	Number of included lookups is OK
Status Ok	SPF Type PTR Check	No type PTR found
Status Ok	SPF Void Lookups	Number of void lookups is OK
Status Ok	SPF MX Resource Records	Number of MX Resource Records is OK
Status Ok	SPF Record Null Value	No Null DNS Lookups found
Status Ok	SPF Authentication	SPF Passed for IP
I checked my network, there are no viruses or infected devices. Moreover, this began to happen at night when there was no one in the office and all the PCs were turned off.
In addition, this happens very rarely, maybe once every 2-3 months and does not last long.

It's very strange why only Google use the talosintelligence.com service. Other domains accept my mail.

palinka
Senior user
Senior user
Posts: 3588
Joined: 2017-09-12 17:57

Re: Spam to non existent emails

Post by palinka » 2022-05-13 15:37

OK. Then all is looking good. Obviously the bounces are caused by someone spoofing your domain as sender (not a bot on your network).

The only other thing you might want to do is register with the google postmaster.

https://www.gmail.com/postmaster/

dreamscafe
New user
New user
Posts: 5
Joined: 2022-05-13 10:07

Re: Spam to non existent emails

Post by dreamscafe » 2022-05-26 12:26

Hello everyone again!
Gmail postmaster turned out to be useless. According to the statistics that he collected there, everything is fine.
However, for a whole week now, I have not seen any problems in mailing to non-existent mailboxes. But Google is still not accepting my messages.

What I found. I found a lot of mail checking services
On the senderscore.org service was recorded that I had a low mail reputation for a whole week
Indeed, all this week I was written to non-existent emails.
Image
But why did my reputation drop? After all, if I sent these emails, I would see these messages on my server, in the logs and delivery queue.
Right?

dreamscafe
New user
New user
Posts: 5
Joined: 2022-05-13 10:07

Re: Spam to non existent emails

Post by dreamscafe » 2022-07-27 13:41

A month after that jump in the graph, my reputation improved and there were no more problems.
Image

Post Reply