Continuous sending and bouncing to 2 Australian IP Addesses
Question asked by Dave Stuart - April 27 at 7:38 PM
Unanswered
Hi, I was logged on to my Admin Dashboard and saw some connections popup that were from Iran, Russia, etc. I also saw a Activity from an Anonymous User! I really don't know how this is possible when I have Relay set to Nobody and all 4 domains I have are set to require SMTP authentication. I think it was an SMTP Connection but can't remember. Anyway, I download some log data for this month and found the following entries in there about 25 times for April so far. Can someone tell be what is going on here because I don't understand it. The IP Address is 103.28.41.114 or 103.28.41.113 which is in Australia and the organization is "Campaign Monitor Pty".

Thanks in Advance for any help with this.

[2019.04.01] 12:43:11.373 [32546] MxRecord count: '2' for domain 'cmail19.com'
[2019.04.01] 12:43:11.467 [32547] Starting Spam Checks.
[2019.04.01] 12:43:11.467 [32547] Skipping spam checks: User authenticated
[2019.04.01] 12:43:11.467 [32547] Spam Checks completed.
[2019.04.01] 12:43:11.467 [32547] Removed from SpamCheckQueue (0 queued or processing)
[2019.04.01] 12:43:11.592 [32546] Attempting MxRecord Host Name: 'mx21.inbound.createsend.com', preference '5', Ip Count: '1'
[2019.04.01] 12:43:11.592 [32546] Attempting to send to MxRecord 'mx21.inbound.createsend.com' ip: '103.28.41.114'
[2019.04.01] 12:43:11.592 [32546] Sending remote mail to: sueduncansecretary-jiliujht1ahliuitik1r@cmail19.com
[2019.04.01] 12:43:11.592 [32546] Initiating connection to 103.28.41.114
[2019.04.01] 12:43:11.592 [32546] Connecting to 103.28.41.114:25 (Id: 1)
[2019.04.01] 12:43:11.655 [32546] Connection to 103.28.41.114:25 from 192.168.0.101:56705 succeeded (Id: 1)
[2019.04.01] 12:43:11.733 [32546] RSP: 220 inbound.createsend.com SMTP Mon, 01 Apr 2019 18:43:11 +0000
[2019.04.01] 12:43:11.733 [32546] CMD: EHLO mail.dafran.ca
[2019.04.01] 12:43:11.827 [32546] RSP: 250-Hello mail.dafran.ca[10.65.9.15]
[2019.04.01] 12:43:11.827 [32546] RSP: 250-PIPELINING
[2019.04.01] 12:43:11.827 [32546] RSP: 250-8BITMIME
[2019.04.01] 12:43:11.827 [32546] RSP: 250-STARTTLS
[2019.04.01] 12:43:11.827 [32546] RSP: 250-AUTH EXTERNAL CRAM-MD5 LOGIN PLAIN
[2019.04.01] 12:43:11.827 [32546] RSP: 250 SIZE 409600
[2019.04.01] 12:43:11.827 [32546] CMD: MAIL FROM: SIZE=1342
[2019.04.01] 12:43:11.889 [32546] RSP: 553 Bad sender address syntax
[2019.04.01] 12:43:11.889 [32546] CMD: QUIT
[2019.04.01] 12:43:11.952 [32546] RSP: 221 Goodnight and good luck
[2019.04.01] 12:43:11.952 [32546] Attempt to ip, '103.28.41.114' success: 'True'
[2019.04.01] 12:43:11.952 [32546] Delivery for System Administrator to sueduncansecretary-jiliujht1ahliuitik1r@cmail19.com has bounced. Reason: Remote host said: 553 Bad sender address syntax
[2019.04.01] 12:43:11.952 [32546] Delivery for System Administrator to sueduncansecretary-jiliujht1ahliuitik1r@cmail19.com has completed (Bounced)
[2019.04.01] 12:43:11.952 [32546] Removed from RemoteDeliveryQueue (0 queued or processing)
[2019.04.01] 12:43:14.327 [32547] Added to RemoteDeliveryQueue (1 queued; 0/50 processing)
[2019.04.01] 12:43:14.327 [32547] [RemoteDeliveryQueue] Begin Processing.
[2019.04.01] 12:43:14.327 [32547] Sending remote mail for System Administrator
[2019.04.01] 12:43:14.327 [32546] Removing Spool message: Killed: False, Failed: False, Finished: True
[2019.04.01] 12:43:14.327 [32546] Delivery finished for System Administrator at 12:43:14 PM          [id:1292032546]
[2019.04.01] 12:43:14.327 [32547] MxRecord count: '2' for domain 'cmail19.com'
[2019.04.01] 12:43:14.327 [32547] Attempting MxRecord Host Name: 'mx21.inbound.createsend.com', preference '5', Ip Count: '1'
[2019.04.01] 12:43:14.327 [32547] Attempting to send to MxRecord 'mx21.inbound.createsend.com' ip: '103.28.41.114'
[2019.04.01] 12:43:14.327 [32547] Sending remote mail to: sueduncansecretary-jilhiro1ahliuitik1r@cmail19.com
[2019.04.01] 12:43:14.327 [32547] Initiating connection to 103.28.41.114
[2019.04.01] 12:43:14.327 [32547] Connecting to 103.28.41.114:25 (Id: 1)
[2019.04.01] 12:43:14.405 [32547] Connection to 103.28.41.114:25 from 192.168.0.101:56706 succeeded (Id: 1)
[2019.04.01] 12:43:14.483 [32547] RSP: 220 inbound.createsend.com SMTP Mon, 01 Apr 2019 18:43:14 +0000
[2019.04.01] 12:43:14.483 [32547] CMD: EHLO mail.dafran.ca
[2019.04.01] 12:43:14.561 [32547] RSP: 250-Hello mail.dafran.ca[10.65.9.15]
[2019.04.01] 12:43:14.561 [32547] RSP: 250-PIPELINING
[2019.04.01] 12:43:14.561 [32547] RSP: 250-8BITMIME
[2019.04.01] 12:43:14.561 [32547] RSP: 250-STARTTLS
[2019.04.01] 12:43:14.561 [32547] RSP: 250-AUTH EXTERNAL CRAM-MD5 LOGIN PLAIN
[2019.04.01] 12:43:14.561 [32547] RSP: 250 SIZE 409600
[2019.04.01] 12:43:14.561 [32547] CMD: MAIL FROM: SIZE=1350
[2019.04.01] 12:43:14.623 [32547] RSP: 553 Bad sender address syntax
[2019.04.01] 12:43:14.623 [32547] CMD: QUIT
[2019.04.01] 12:43:14.686 [32547] RSP: 221 Goodnight and good luck
[2019.04.01] 12:43:14.686 [32547] Attempt to ip, '103.28.41.114' success: 'True'
[2019.04.01] 12:43:14.686 [32547] Delivery for System Administrator to sueduncansecretary-jilhiro1ahliuitik1r@cmail19.com has bounced. Reason: Remote host said: 553 Bad sender address syntax
[2019.04.01] 12:43:14.686 [32547] Delivery for System Administrator to sueduncansecretary-jilhiro1ahliuitik1r@cmail19.com has completed (Bounced)
[2019.04.01] 12:43:14.686 [32547] Removed from RemoteDeliveryQueue (0 queued or processing)
[2019.04.01] 12:43:17.327 [32547] Removing Spool message: Killed: False, Failed: False, Finished: True
[2019.04.01] 12:43:17.327 [32547] Delivery finished for System Administrator at 12:43:17 PM          [id:1292032547]
[2019.04.01] 12:43:59.358 [32548] Delivery started for dave.stuart@dafran.ca at 12:43:59 PM
[2019.04.01] 12:44:05.374 [32548] Added to SpamCheckQueue (1 queued; 0/30 processing)
[2019.04.01] 12:44:05.374 [32548] [SpamCheckQueue] Begin Processing.
[2019.04.01] 12:44:10.577 [32548] Starting Spam Checks.
[2019.04.01] 12:44:10.577 [32548] Skipping spam checks: User authenticated
[2019.04.01] 12:44:10.577 [32548] Spam Checks completed.
[2019.04.01] 12:44:10.577 [32548] Removed from SpamCheckQueue (0 queued or processing)
Best Regards
Dave Stuart MCSD

2 Replies

Reply to Thread
0
Kyle Kerst Replied
Employee Post
It looks like the receiving mail server isn't properly supporting our SMTP methods, are you able to deliver mail to other users on this server? As to the Anonymous User you saw, this is expected and simply indicates there was a user at the login page that had not yet authenticated. Once the user logs in the username displayed will change to reflect the account they authenticated with.
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Dave Stuart Replied
Thanks for the reply. There were 2 IP addresses (103.28.41.114, 103.28.41.113) doing the same thing. I looked at my SMTP logs and these 2 where attempting to Authenticate several thousand times a day. I think they were some sort of "Scouting" Bots because once I added them to my Blacklist my spam literally stopped, and I was getting hammered some days! I continued to review other IP addresses that were attempting to "Authenticate as" an unknown user from dodgy places like Russia, China, Kenya, South Africa, Lithuania etc.. I was able to export my logs and then import into MS Access then query the most abusive ones. After blocking them all I'm not seeing any garbage like this. The logs are 99% normal now!

I still do not understand how something could be trying to deliver mail from my internal mail server to another mail server without any sort of authentication.

Thanks
Dave Stuart 
Best Regards
Dave Stuart MCSD

Reply to Thread