teachforjune-Scott
12-26-2009, 04:20 PM
I've been getting notices from CSF+LFD for the past month or so (numbering dozens a day) regarding the following:
Time: Sat Dec 26 10:08:01 2009 -0800
Type: RELAY, Remote IP - xxx.xx.xx.xxx (VN/Viet Nam/-)
Count: 3 emails relayed
Blocked: Permanent Block
Sample of the first 10 emails:
2009-12-26 10:07:56 [16406] 1NOb3U-0004Gc-Dc <= 9f.dn@ms21.hinet.net H=([xxx.xx.xx.xxx]) [xxx.xx.xx.xxx]:16744 I=[xxx.xx.xx.xxx]:25 P=esmtp S=1007 id=8629154266.0WR9X16K502740@dvhkrauahyoutix.fizgduemhorle.su T="get your degree now without studying" from <9f.dn@ms21.hinet.net> for michael@domain.com bj@domain.com bjmail@domain.com
They are different destination/recipient/origination domains, some are repeated but there is no pattern. I have spf enabled on the dns zones but I don't know how to combat these. Have dozens of email accounts been hacked and now their using them to send mail?
Any idea how to stop this or prevent it from happening in the future. I've gotten 20 new emails in the past 3 hours regarding these. Each time it happens, I have our firewall permanently block the IP, but more IPs keep popping up.
Time: Sat Dec 26 10:08:01 2009 -0800
Type: RELAY, Remote IP - xxx.xx.xx.xxx (VN/Viet Nam/-)
Count: 3 emails relayed
Blocked: Permanent Block
Sample of the first 10 emails:
2009-12-26 10:07:56 [16406] 1NOb3U-0004Gc-Dc <= 9f.dn@ms21.hinet.net H=([xxx.xx.xx.xxx]) [xxx.xx.xx.xxx]:16744 I=[xxx.xx.xx.xxx]:25 P=esmtp S=1007 id=8629154266.0WR9X16K502740@dvhkrauahyoutix.fizgduemhorle.su T="get your degree now without studying" from <9f.dn@ms21.hinet.net> for michael@domain.com bj@domain.com bjmail@domain.com
They are different destination/recipient/origination domains, some are repeated but there is no pattern. I have spf enabled on the dns zones but I don't know how to combat these. Have dozens of email accounts been hacked and now their using them to send mail?
Any idea how to stop this or prevent it from happening in the future. I've gotten 20 new emails in the past 3 hours regarding these. Each time it happens, I have our firewall permanently block the IP, but more IPs keep popping up.