tcsender email bombing

Mailman List Mirror (Read Only)
1

Having seen fairly heavy loading on our mail server today, I decided
to see what might be going on.

Is anyone else seeing concerted bombing from tcsender@<a couple of addresses>
where the relayhost covers many hosts? I have attached a tiny bit of
today's mail syslog contents below to illustrate.

Approximately one third of our email traffic today has come from this.
I am going to be blocking a number of the ip's at our router, due to
the heavy load this is causing us. Is anyone else having to handle
this nonsense (tcsender specifically) or should I be looking for
someone attacking us?

Thx,
dennis

Nov 4 04:05:48 bconnex.net sendmail[4697]: Ruleset check_mail
(<tcsender@get-more-hits.com>) rejection: 451 <tcsender@get-more-hits.com>...
Domain must resolve
Nov 4 04:05:48 bconnex.net sendmail[4697]: EAA04697:
from=<tcsender@get-more-hits.com>, size=0, class=0, pri=0, nrcpts=0,
proto=ESMTP, relay=root@astra.genghis.com [205.139.15.34]
Nov 4 04:05:54 bconnex.net sendmail[4698]: Ruleset check_mail
(<tcsender@get-more-hits.com>) rejection: 451 <tcsender@get-more-hits.com>...
Domain must resolve
Nov 4 04:05:54 bconnex.net sendmail[4698]: EAA04698:
from=<tcsender@get-more-hits.com>, size=0, class=0, pri=0, nrcpts=0, proto=SMTP,
relay=root@busche.com [206.83.162.16]
Nov 4 04:05:57 bconnex.net sendmail[4703]: Ruleset check_mail
(<tcsender@get-more-hits.com>) rejection: 451 <tcsender@get-more-hits.com>...
Domain must resolve
Nov 4 04:05:57 bconnex.net sendmail[4703]: EAA04703:
from=<tcsender@get-more-hits.com>, size=0, class=0, pri=0, nrcpts=0, proto=SMTP,
relay=root@www.fredrick.com [209.113.166.92]
Nov 4 04:06:04 bconnex.net sendmail[4705]: Ruleset check_mail
(<tcsender@need-hits.com>) rejection: 451 <tcsender@need-hits.com>... Domain
must resolve
Nov 4 04:06:04 bconnex.net sendmail[4705]: EAA04705:
from=<tcsender@need-hits.com>, size=0, class=0, pri=0, nrcpts=0, proto=ESMTP,
relay=bay.wiznet.ca [207.139.40.1]
Nov 4 04:06:08 bconnex.net sendmail[4712]: Ruleset check_mail
(<tcsender@get-more-hits.com>) rejection: 451 <tcsender@get-more-hits.com>...
Domain must resolve
Nov 4 04:06:08 bconnex.net sendmail[4712]: EAA04712:
from=<tcsender@get-more-hits.com>, size=0, class=0, pri=0, nrcpts=0,
proto=ESMTP, relay=root@[204.254.231.160]
Nov 4 04:06:22 bconnex.net sendmail[4723]: Ruleset check_mail
(<tcsender@get-more-hits.com>) rejection: 451 <tcsender@get-more-hits.com>...
Domain must resolve
Nov 4 04:06:22 bconnex.net sendmail[4723]: EAA04723:
from=<tcsender@get-more-hits.com>, size=0, class=0, pri=0, nrcpts=0,
proto=ESMTP, relay=root@linked.net [209.24.1.201]
Nov 4 04:06:27 bconnex.net sendmail[4731]: Ruleset check_mail
(<tcsender@need-hits.com>) rejection: 451 <tcsender@need-hits.com>... Domain
must resolve
Nov 4 04:06:27 bconnex.net sendmail[4731]: EAA04731:
from=<tcsender@need-hits.com>, size=0, class=0, pri=0, nrcpts=0, proto=ESMTP,
relay=emke.com [204.152.178.10]
Nov 4 04:06:43 bconnex.net sendmail[4758]: Ruleset check_mail
(<tcsender@get-more-hits.com>) rejection: 451 <tcsender@get-more-hits.com>...
Domain must resolve
Nov 4 04:06:43 bconnex.net sendmail[4758]: EAA04758:
from=<tcsender@get-more-hits.com>, size=0, class=0, pri=0, nrcpts=0,
proto=ESMTP, relay=adzone.com [205.147.5.1]
Nov 4 04:06:50 bconnex.net sendmail[4776]: Ruleset check_mail
(<tcsender@get-more-hits.com>) rejection: 451 <tcsender@get-more-hits.com>...
Domain must resolve
Nov 4 04:06:50 bconnex.net sendmail[4776]: EAA04776:
from=<tcsender@get-more-hits.com>, size=0, class=0, pri=0, nrcpts=0,
proto=ESMTP, relay=[209.63.20.193]
Nov 4 04:07:12 bconnex.net sendmail[4800]: Ruleset check_mail
(<tcsender@need-hits.com>) rejection: 451 <tcsender@need-hits.com>... Domain
must resolve
Nov 4 04:07:12 bconnex.net sendmail[4800]: EAA04800:
from=<tcsender@need-hits.com>, size=0, class=0, pri=0, nrcpts=0, proto=SMTP,
relay=mercury.webserve.net [206.96.226.5]
Nov 4 04:07:13 bconnex.net sendmail[4802]: Ruleset check_mail
(<tcsender@need-hits.com>) rejection: 451 <tcsender@need-hits.com>... Domain
must resolve
Nov 4 04:07:13 bconnex.net sendmail[4802]: EAA04802:
from=<tcsender@need-hits.com>, size=0, class=0, pri=0, nrcpts=0, proto=ESMTP,
relay=root@server3.homecom.com [204.198.149.6]
Nov 4 04:07:16 bconnex.net sendmail[4804]: Ruleset check_mail
(<tcsender@get-more-hits.com>) rejection: 451 <tcsender@get-more-hits.com>...
Domain must resolve
Nov 4 04:07:16 bconnex.net sendmail[4804]: EAA04804:
from=<tcsender@get-more-hits.com>, e=0, class=0, pri=0, nrcpts=0, proto=ESMTP,
relay=metallus.ias.net [206.214.209.8]
Nov 4 04:07:23 bconnex.net sendmail[4808]: Ruleset check_mail ) rejection: 451
<tcsender@get-more-hits.com>... Domain must resolve
Nov 4 04:07:23 bconnex.net sendmail[4808]: EAA04808:
from=<tcsender@get-more-hits.com>, e=0, class=0, pri=0, nrcpts=0, proto=ESMTP,
relay=france-travel.com [192.41.4.181]
Nov 4 04:08:04 bconnex.net sendmail[4852]: Ruleset check_mail ) rejection: 451
<tcsender@get-more-hits.com>... Domain must resolve
Nov 4 04:08:04 bconnex.net sendmail[4852]: EAA04852:
from=<tcsender@get-more-hits.com>, e=0, class=0, pri=0, nrcpts=0, proto=SMTP,
relay=fox.plaza.nl [195.108.180.1]
Nov 4 04:08:05 bconnex.net sendmail[4858]: Ruleset check_mail ) rejection: 451
<tcsender@get-more-hits.com>... Domain must resolve
Nov 4 04:08:05 bconnex.net sendmail[4858]: EAA04858:
from=<tcsender@get-more-hits.com>, e=0, class=0, pri=0, nrcpts=0, proto=ESMTP,
relay=dnai.com [140.174.162.28]
Nov 4 04:08:17 bconnex.net sendmail[4865]: Ruleset check_mail
(<tcsender@need-hits.com>) jection: 451 <tcsender@need-hits.com>... Domain must
resolve
Nov 4 04:08:17 bconnex.net sendmail[4865]: EAA04865:
from=<tcsender@need-hits.com>, class=0, pri=0, nrcpts=0, proto=ESMTP,
relay=virtual.icanect.net [208.202.14.126]
Nov 4 04:08:45 bconnex.net sendmail[4881]: Ruleset check_mail ) rejection: 451
<tcsender@get-more-hits.com>... Domain must resolve
Nov 4 04:08:45 bconnex.net sendmail[4881]: EAA04881:
from=<tcsender@get-more-hits.com>, e=0, class=0, pri=0, nrcpts=0, proto=SMTP,
relay=100t.lauderdale.net [207.141.140.10]
Nov 4 04:09:09 bconnex.net sendmail[4895]: Ruleset check_mail ) rejection: 451
<tcsender@get-more-hits.com>... Domain must resolve
Nov 4 04:09:09 bconnex.net sendmail[4895]: EAA04895:
from=<tcsender@get-more-hits.com>, e=0, class=0, pri=0, nrcpts=0, proto=ESMTP,
relay=fred.ic2do.com [38.218.186.11]
Nov 4 04:09:14 bconnex.net sendmail[4902]: Ruleset check_mail
(<tcsender@need-hits.com>) jection: 451 <tcsender@need-hits.com>... Domain must
resolve
Nov 4 04:09:14 bconnex.net sendmail[4902]: EAA04902:
from=<tcsender@need-hits.com>, class=0, pri=0, nrcpts=0, proto=ESMTP,
relay=ch.promega.com [198.150.28.10]
Nov 4 04:09:15 bconnex.net sendmail[4905]: Ruleset check_mail
(<tcsender@need-hits.com>) jection: 451 <tcsender@need-hits.com>... Domain must
resolve
Nov 4 04:09:15 bconnex.net sendmail[4905]: EAA04905:
from=<tcsender@need-hits.com>, class=0, pri=0, nrcpts=0, proto=ESMTP,
relay=root@ns.falconsoft.com [206.112.39.112]
Nov 4 04:09:28 bconnex.net sendmail[4916]: Ruleset check_mail ) rejection: 451
<tcsender@get-more-hits.com>... Domain must resolve
Nov 4 04:09:28 bconnex.net sendmail[4916]: EAA04916:
from=<tcsender@get-more-hits.com>, e=0, class=0, pri=0, nrcpts=0, proto=ESMTP,
relay=root@web12.ntx.net [209.1.144.158]
Nov 4 04:09:45 bconnex.net sendmail[4928]: Ruleset check_mail ) rejection: 451
<tcsender@get-more-hits.com>... Domain must resolve
Nov 4 04:09:45 bconnex.net sendmail[4928]: EAA04928:
from=<tcsender@get-more-hits.com>, e=0, class=0, pri=0, nrcpts=0, proto=ESMTP,
relay=root@realbeer.com [204.152.97.15]
Nov 4 04:09:45 bconnex.net sendmail[4929]: Ruleset check_mail ) rejection: 451
<tcsender@get-more-hits.com>... Domain must resolve
Nov 4 04:09:45 bconnex.net sendmail[4929]: EAA04929:
from=<tcsender@get-more-hits.com>, e=0, class=0, pri=0, nrcpts=0, proto=ESMTP,
relay=gost3.indirect.com [165.247.198.3]
Nov 4 04:09:46 bconnex.net sendmail[4930]: Ruleset check_mail ) rejection: 451
<tcsender@get-more-hits.com>... Domain must resolve
Nov 4 04:09:46 bconnex.net sendmail[4930]: EAA04930:
from=<tcsender@get-more-hits.com>, e=0, class=0, pri=0, nrcpts=0, proto=ESMTP,
relay=[205.217.137.150]
Nov 4 04:09:54 bconnex.net sendmail[4936]: Ruleset check_mail
(<tcsender@need-hits.com>) jection: 451 <tcsender@need-hits.com>... Domain must
resolve
Nov 4 04:09:54 bconnex.net sendmail[4936]: EAA04936:
from=<tcsender@need-hits.com>, class=0, pri=0, nrcpts=0, proto=ESMTP,
relay=root@jab1.roc.servtech.com [204.181.4.152]
Nov 4 04:10:31 bconnex.net sendmail[4956]: Ruleset check_mail
(<tcsender@need-hits.com>) jection: 451 <tcsender@need-hits.com>... Domain must
resolve
Nov 4 04:10:31 bconnex.net sendmail[4956]: EAA04956:
from=<tcsender@need-hits.com>, class=0, pri=0, nrcpts=0, proto=ESMTP,
relay=wcc.wcc.net [208.6.232.10]
Nov 4 04:10:45 bconnex.net sendmail[4972]: Ruleset check_mail ) rejection: 451
<tcsender@get-more-hits.com>... Domain must resolve
Nov 4 04:10:45 bconnex.net sendmail[4972]: EAA04972:
from=<tcsender@get-more-hits.com>, e=0, class=0, pri=0, nrcpts=0, proto=ESMTP,
relay=root@vp2.netgate.net [204.145.147.60]
Nov 4 04:10:48 bconnex.net sendmail[4974]: Ruleset check_mail ) rejection: 451
<tcsender@get-more-hits.com>... Domain must resolve
Nov 4 04:10:48 bconnex.net sendmail[4974]: EAA04974:
from=<tcsender@get-more-hits.com>, e=0, class=0, pri=0, nrcpts=0, proto=ESMTP,
relay=root@kitchen.virtual-cafe.com 3]
Nov 4 04:10:58 bconnex.net sendmail[4980]: Ruleset check_mail ) rejection: 451
<tcsender@get-more-hits.com>... Domain must resolve
Nov 4 04:10:58 bconnex.net sendmail[4980]: EAA04980:
from=<tcsender@get-more-hits.com>, e=0, class=0, pri=0, nrcpts=0, proto=ESMTP,
relay=[151.196.85.2]
Nov 4 04:11:04 bconnex.net sendmail[4985]: Ruleset check_mail ) rejection: 451
<tcsender@get-more-hits.com>... Domain must resolve
Nov 4 04:11:04 bconnex.net sendmail[4985]: EAA04985:
from=<tcsender@get-more-hits.com>, e=0, class=0, pri=0, nrcpts=0, proto=SMTP,
relay=www.fixation.com [206.144.185.101]
Nov 4 04:11:06 bconnex.net sendmail[4991]: Ruleset check_mail
(<tcsender@need-hits.com>) jection: 451 <tcsender@need-hits.com>... Domain must
resolve
Nov 4 04:11:06 bconnex.net sendmail[4991]: EAA04991:
from=<tcsender@need-hits.com>, class=0, pri=0, nrcpts=0, proto=SMTP,
relay=ns2.kalamazoo.net [206.31.33.2]
Nov 4 04:11:26 bconnex.net sendmail[5016]: Ruleset check_mail ) rejection: 451
<tcsender@get-more-hits.com>... Domain must resolve
Nov 4 04:11:26 bconnex.net sendmail[5016]: EAA05016:
from=<tcsender@get-more-hits.com>, e=0, class=0, pri=0, nrcpts=0, proto=SMTP,
relay=fox.plaza.nl [195.108.180.1]
Nov 4 04:12:07 bconnex.net sendmail[5042]: Ruleset check_mail ) rejection: 451
<tcsender@get-more-hits.com>... Domain must resolve
Nov 4 04:12:07 bconnex.net sendmail[5042]: EAA05042:
from=<tcsender@get-more-hits.com>, e=0, class=0, pri=0, nrcpts=0, proto=ESMTP,
relay=[151.196.88.4]
Nov 4 04:12:08 bconnex.net sendmail[5043]: Ruleset check_mail ) rejection: 451
<tcsender@get-more-hits.com>... Domain must resolve
Nov 4 04:12:08 bconnex.net sendmail[5043]: EAA05043:
from=<tcsender@get-more-hits.com>, e=0, class=0, pri=0, nrcpts=0, proto=SMTP,
relay=yakko.x-statik.com [198.68.248.2]
Nov 4 04:12:13 bconnex.net sendmail[5046]: Ruleset check_mail
(<tcsender@need-hits.com>) jection: 451 <tcsender@need-hits.com>... Domain must
resolve
Nov 4 04:12:13 bconnex.net sendmail[5046]: EAA05046:
from=<tcsender@need-hits.com>, class=0, pri=0, nrcpts=0, proto=ESMTP,
relay=root@[140.174.206.23]

2

had this to say about "tcsender email bombing":

Having seen fairly heavy loading on our mail server today, I decided
to see what might be going on.

Is anyone else seeing concerted bombing from tcsender@<a couple of addresses>
where the relayhost covers many hosts? I have attached a tiny bit of
today's mail syslog contents below to illustrate.

Yes...2741 entries in my maillog since 11:00pm yesterday...but our
mailserver barely hiccuped and I wouldn't have noticed for a day or two
unless I came across your post. What prompted you to go looking?

Approximately one third of our email traffic today has come from this.
I am going to be blocking a number of the ip's at our router, due to
the heavy load this is causing us. Is anyone else having to handle
this nonsense (tcsender specifically) or should I be looking for
someone attacking us?

You may want to change your 451 errors into 571 errors at least for this
particular domain. From RFC1893:

       X.7.1 Delivery not authorized, message refused

          The sender is not authorized to send to the destination.
          This can be the result of per-host or per-recipient
          filtering. This memo does not discuss the merits of any
          such filtering, but provides a mechanism to report such.
          This is useful only as a permanent error.

3

Yep...changing those transient error codes into permenant ones will
severely discourage compliant MTA's.

I got a few dozen attempts from this one...but not enough that I'd have
noticed it over the other hundreds.

Nov 4 05:34:55 yoda sendmail[18159]: Ruleset check_mail
(<tcsender@get-more-hits.com>) rejection: 518
<tcsender@get-more-hits.com>... unresolvable host name, check your
configuration.
Nov 4 05:34:55 yoda sendmail[18159]: FAA18159:
from=<tcsender@get-more-hits.com>, size=0, class=0, pri=0, nrcpts=0,
proto=ESMTP, relay=root@linked.net [209.24.1.201]

4

The usual reason cited for using 4xx errors instead of 5xx errors in this
case is that DNS failures can be transient.

Bradley