Continuous sending and bouncing to 2 Australian IP Addesses

Hi, I was logged on to my Admin Dashboard and saw some connections popup that were from Iran, Russia, etc. I also saw a Activity from an Anonymous User! I really don't know how this is possible when I have Relay set to Nobody and all 4 domains I have are set to require SMTP authentication. I think it was an SMTP Connection but can't remember. Anyway, I download some log data for this month and found the following entries in there about 25 times for April so far. Can someone tell be what is going on here because I don't understand it. The IP Address is 103.28.41.114 or 103.28.41.113 which is in Australia and the organization is "Campaign Monitor Pty".

Thanks in Advance for any help with this.

[2019.04.01] 12:43:11.373 [32546] MxRecord count: '2' for domain 'cmail19.com'

[2019.04.01] 12:43:11.467 [32547] Starting Spam Checks.

[2019.04.01] 12:43:11.467 [32547] Skipping spam checks: User authenticated

[2019.04.01] 12:43:11.467 [32547] Spam Checks completed.

[2019.04.01] 12:43:11.467 [32547] Removed from SpamCheckQueue (0 queued or processing)

[2019.04.01] 12:43:11.592 [32546] Attempting MxRecord Host Name: 'mx21.inbound.createsend.com', preference '5', Ip Count: '1'

[2019.04.01] 12:43:11.592 [32546] Attempting to send to MxRecord 'mx21.inbound.createsend.com' ip: '103.28.41.114'

[2019.04.01] 12:43:11.592 [32546] Sending remote mail to: sueduncansecretary-jiliujht1ahliuitik1r@cmail19.com

[2019.04.01] 12:43:11.592 [32546] Initiating connection to 103.28.41.114

[2019.04.01] 12:43:11.592 [32546] Connecting to 103.28.41.114:25 (Id: 1)

[2019.04.01] 12:43:11.655 [32546] Connection to 103.28.41.114:25 from 192.168.0.101:56705 succeeded (Id: 1)

[2019.04.01] 12:43:11.733 [32546] RSP: 220 inbound.createsend.com SMTP Mon, 01 Apr 2019 18:43:11 +0000

[2019.04.01] 12:43:11.733 [32546] CMD: EHLO mail.dafran.ca

[2019.04.01] 12:43:11.827 [32546] RSP: 250-Hello mail.dafran.ca[10.65.9.15]

[2019.04.01] 12:43:11.827 [32546] RSP: 250-PIPELINING

[2019.04.01] 12:43:11.827 [32546] RSP: 250-8BITMIME

[2019.04.01] 12:43:11.827 [32546] RSP: 250-STARTTLS

[2019.04.01] 12:43:11.827 [32546] RSP: 250-AUTH EXTERNAL CRAM-MD5 LOGIN PLAIN

[2019.04.01] 12:43:11.827 [32546] RSP: 250 SIZE 409600

[2019.04.01] 12:43:11.827 [32546] CMD: MAIL FROM: SIZE=1342

[2019.04.01] 12:43:11.889 [32546] RSP: 553 Bad sender address syntax

[2019.04.01] 12:43:11.889 [32546] CMD: QUIT

[2019.04.01] 12:43:11.952 [32546] RSP: 221 Goodnight and good luck

[2019.04.01] 12:43:11.952 [32546] Attempt to ip, '103.28.41.114' success: 'True'

[2019.04.01] 12:43:11.952 [32546] Delivery for System Administrator to sueduncansecretary-jiliujht1ahliuitik1r@cmail19.com has bounced. Reason: Remote host said: 553 Bad sender address syntax

[2019.04.01] 12:43:11.952 [32546] Delivery for System Administrator to sueduncansecretary-jiliujht1ahliuitik1r@cmail19.com has completed (Bounced)

[2019.04.01] 12:43:11.952 [32546] Removed from RemoteDeliveryQueue (0 queued or processing)

[2019.04.01] 12:43:14.327 [32547] Added to RemoteDeliveryQueue (1 queued; 0/50 processing)

[2019.04.01] 12:43:14.327 [32547] [RemoteDeliveryQueue] Begin Processing.

[2019.04.01] 12:43:14.327 [32547] Sending remote mail for System Administrator

[2019.04.01] 12:43:14.327 [32546] Removing Spool message: Killed: False, Failed: False, Finished: True

[2019.04.01] 12:43:14.327 [32546] Delivery finished for System Administrator at 12:43:14 PM [id:1292032546]

[2019.04.01] 12:43:14.327 [32547] MxRecord count: '2' for domain 'cmail19.com'

[2019.04.01] 12:43:14.327 [32547] Attempting MxRecord Host Name: 'mx21.inbound.createsend.com', preference '5', Ip Count: '1'

[2019.04.01] 12:43:14.327 [32547] Attempting to send to MxRecord 'mx21.inbound.createsend.com' ip: '103.28.41.114'

[2019.04.01] 12:43:14.327 [32547] Sending remote mail to: sueduncansecretary-jilhiro1ahliuitik1r@cmail19.com

[2019.04.01] 12:43:14.327 [32547] Initiating connection to 103.28.41.114

[2019.04.01] 12:43:14.327 [32547] Connecting to 103.28.41.114:25 (Id: 1)

[2019.04.01] 12:43:14.405 [32547] Connection to 103.28.41.114:25 from 192.168.0.101:56706 succeeded (Id: 1)

[2019.04.01] 12:43:14.483 [32547] RSP: 220 inbound.createsend.com SMTP Mon, 01 Apr 2019 18:43:14 +0000

[2019.04.01] 12:43:14.483 [32547] CMD: EHLO mail.dafran.ca

[2019.04.01] 12:43:14.561 [32547] RSP: 250-Hello mail.dafran.ca[10.65.9.15]

[2019.04.01] 12:43:14.561 [32547] RSP: 250-PIPELINING

[2019.04.01] 12:43:14.561 [32547] RSP: 250-8BITMIME

[2019.04.01] 12:43:14.561 [32547] RSP: 250-STARTTLS

[2019.04.01] 12:43:14.561 [32547] RSP: 250-AUTH EXTERNAL CRAM-MD5 LOGIN PLAIN

[2019.04.01] 12:43:14.561 [32547] RSP: 250 SIZE 409600

[2019.04.01] 12:43:14.561 [32547] CMD: MAIL FROM: SIZE=1350

[2019.04.01] 12:43:14.623 [32547] RSP: 553 Bad sender address syntax

[2019.04.01] 12:43:14.623 [32547] CMD: QUIT

[2019.04.01] 12:43:14.686 [32547] RSP: 221 Goodnight and good luck

[2019.04.01] 12:43:14.686 [32547] Attempt to ip, '103.28.41.114' success: 'True'

[2019.04.01] 12:43:14.686 [32547] Delivery for System Administrator to sueduncansecretary-jilhiro1ahliuitik1r@cmail19.com has bounced. Reason: Remote host said: 553 Bad sender address syntax

[2019.04.01] 12:43:14.686 [32547] Delivery for System Administrator to sueduncansecretary-jilhiro1ahliuitik1r@cmail19.com has completed (Bounced)

[2019.04.01] 12:43:14.686 [32547] Removed from RemoteDeliveryQueue (0 queued or processing)

[2019.04.01] 12:43:17.327 [32547] Removing Spool message: Killed: False, Failed: False, Finished: True

[2019.04.01] 12:43:17.327 [32547] Delivery finished for System Administrator at 12:43:17 PM [id:1292032547]

[2019.04.01] 12:43:59.358 [32548] Delivery started for dave.stuart@dafran.ca at 12:43:59 PM

[2019.04.01] 12:44:05.374 [32548] Added to SpamCheckQueue (1 queued; 0/30 processing)

[2019.04.01] 12:44:05.374 [32548] [SpamCheckQueue] Begin Processing.

[2019.04.01] 12:44:10.577 [32548] Starting Spam Checks.

[2019.04.01] 12:44:10.577 [32548] Skipping spam checks: User authenticated

[2019.04.01] 12:44:10.577 [32548] Spam Checks completed.

[2019.04.01] 12:44:10.577 [32548] Removed from SpamCheckQueue (0 queued or processing)

Kyle Kerst Replied

4/29/2019 at 4:35 PM

Employee Post

It looks like the receiving mail server isn't properly supporting our SMTP methods, are you able to deliver mail to other users on this server? As to the Anonymous User you saw, this is expected and simply indicates there was a user at the login page that had not yet authenticated. Once the user logs in the username displayed will change to reflect the account they authenticated with.

Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com

Dave Stuart Replied

4/29/2019 at 5:43 PM

Thanks for the reply. There were 2 IP addresses (103.28.41.114, 103.28.41.113) doing the same thing. I looked at my SMTP logs and these 2 where attempting to Authenticate several thousand times a day. I think they were some sort of "Scouting" Bots because once I added them to my Blacklist my spam literally stopped, and I was getting hammered some days! I continued to review other IP addresses that were attempting to "Authenticate as" an unknown user from dodgy places like Russia, China, Kenya, South Africa, Lithuania etc.. I was able to export my logs and then import into MS Access then query the most abusive ones. After blocking them all I'm not seeing any garbage like this. The logs are 99% normal now!

I still do not understand how something could be trying to deliver mail from my internal mail server to another mail server without any sort of authentication.

Thanks

Dave Stuart

Best Regards Dave Stuart MCSD

2 Replies

Reply to Thread

Related Knowledge Base Articles

2 Replies

Reply to Thread

Tags

Related Knowledge Base Articles