Our System Has Detected An Unusual Rate of Unsolicited Email

Big Dan

EQ Forum Moderator
I've gotten about 500 of these bounce messages in the page 3 days. A catch all for odjt.com is forwarding into my Gmail account. peggy@odjt.com doesn't actually exisit. Being a four letter.com it gets spoofed quite frequently.

The thing is this time it appears to be saying my server IP is blocked however I'm still receiving my regular email through that server at Gmail without issue. I poked around and it doesn't appear that my server has been compromised.

Wouldn't Google see that the mail isn't originating from my server's IP only being received at it?

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

<my Gmail address>
(generated from peggy@odjt.com)
SMTP error from remote mail server after end of data:
host gmail-smtp-in.l.google.com [74.125.93.27]:
550-5.7.1 [<server IP> 7] Our system has detected an unusual rate of
550-5.7.1 unsolicited mail originating from your IP address. To protect our
550-5.7.1 users from spam, mail sent from your IP address has been blocked.
550-5.7.1 Please visit Bulk Senders Guidelines - Gmail Help to review
550 5.7.1 our Bulk Email Senders Guidelines. o35si3341754vbi.78
 

caliman

New Email
Hi Dan - I am glad to find your post. I have received about 200 emails in the last few days very similar to yours.

Have you found anything out about it yet?
 

popowich

EQ Forum Admin
Staff member
A catch all for odjt.com is forwarding into my Gmail account

Yikes, catchalls are evil. What do your logs say for the mails forwarding for your domain to Gmail? there are two primary issues. The first is joe jobs where spammers use your From: on their spams so you get the bounces. The second is dictionary attacks. If a spammer tries tens of thousand or more addresses at your domain they are all going to forward to Gmail. At the very least I'd remove the catchall, check your logs, and go from there.

-Raymond
 

Big Dan

EQ Forum Moderator
Yikes, catchalls are evil. What do your logs say for the mails forwarding for your domain to Gmail? there are two primary issues. The first is joe jobs where spammers use your From: on their spams so you get the bounces. The second is dictionary attacks. If a spammer tries tens of thousand or more addresses at your domain they are all going to forward to Gmail. At the very least I'd remove the catchall, check your logs, and go from there.

-Raymond

Don't beat me for being stupid but where would my logs be in the filesystem?
 

popowich

EQ Forum Admin
Staff member
It depends on your MTA and any logging specific configurations you made.

What MTA does your hosting use? Trying /var/log is a reasonable place to start. Do you have a syslog into maillog in there?
 

Big Dan

EQ Forum Moderator
It depends on your MTA and any logging specific configurations you made.

What MTA does your hosting use? Trying /var/log is a reasonable place to start. Do you have a syslog into maillog in there?

I know WHM (Web Host Manager) keeps logs but I don't know for how long. I'm 99% sure the server is using EXIM. WHM emails me everyday and tells me what email is sending - I've seen nothing but vBulletin via PHP so I doubt my server has been compromised. I have a firewall installed which emails me anytime someone logs in via ssh. I really think it's just a joe job and gmail is pissed it's getting all sorts of bounce messages. With the catchall gone it shoudl clear itself up.

I'll poke around for the logs in the morning and email you a dump if you don't mind.

I appreciate the help. :)

Thanks,
Dan
 
Top