Weird email log probably spam attack?

chetbaker

I have a weird email log as shown below in different domains hosted on Cloudron:

eb 27 12:38:11 [INFO] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [core] hook=rcpt plugin=cloudron function=translate_rcpt_to params=<rh5c3c78szgvabp@REDACTED.party> retval=DENY msg="No such address"
Feb 27 12:38:11 [INFO] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [cloudron] skipped logging 73.231.102.189. {"time":"2025-02-27T15:38:10.354Z","count":78}
Feb 27 12:38:11 [NOTICE] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [core] recipient <rh5c3c78szgvabp@REDACTED.party> code=DENY msg="No such address" sender=mnkjex6v66jk9xy@osvetleniaz.cz
Feb 27 12:38:11 [INFO] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [core] hook=rcpt plugin=cloudron function=translate_rcpt_to params=<sbce4q6mhbmiev@REDACTED.party> retval=DENY msg="No such address"
Feb 27 12:38:11 [INFO] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [cloudron] skipped logging 73.231.102.189. {"time":"2025-02-27T15:38:10.354Z","count":79}
Feb 27 12:38:11 [NOTICE] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [core] recipient <sbce4q6mhbmiev@REDACTED.party> code=DENY msg="No such address" sender=mnkjex6v66jk9xy@osvetleniaz.cz
Feb 27 12:38:11 [INFO] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [core] hook=rcpt plugin=cloudron function=translate_rcpt_to params=<pbaback@REDACTED.party> retval=DENY msg="No such address"
Feb 27 12:38:11 [INFO] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [cloudron] skipped logging 73.231.102.189. {"time":"2025-02-27T15:38:10.354Z","count":80}
Feb 27 12:38:11 [NOTICE] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [core] recipient <pbaback@REDACTED.party> code=DENY msg="No such address" sender=mnkjex6v66jk9xy@osvetleniaz.cz
Feb 27 12:38:11 [INFO] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [core] hook=rcpt plugin=cloudron function=translate_rcpt_to params=<w20yv2vukk16k2l3@REDACTED.party> retval=DENY msg="No such address"
Feb 27 12:38:11 [INFO] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [cloudron] skipped logging 73.231.102.189. {"time":"2025-02-27T15:38:10.354Z","count":81}
Feb 27 12:38:11 [NOTICE] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [core] recipient <w20yv2vukk16k2l3@REDACTED.party> code=DENY msg="No such address" sender=mnkjex6v66jk9xy@osvetleniaz.cz
Feb 27 12:38:11 [INFO] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [core] hook=rcpt plugin=cloudron function=translate_rcpt_to params=<noh@REDACTED.party> retval=DENY msg="No such address"
Feb 27 12:38:11 [INFO] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [cloudron] skipped logging 73.231.102.189. {"time":"2025-02-27T15:38:10.354Z","count":82}
Feb 27 12:38:11 [NOTICE] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [core] recipient <noh@REDACTED.party> code=DENY msg="No such address" sender=mnkjex6v66jk9xy@osvetleniaz.cz
Feb 27 12:38:11 [INFO] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [core] hook=rcpt plugin=cloudron function=translate_rcpt_to params=<nai@REDACTED.party> retval=DENY msg="No such address"
Feb 27 12:38:11 [INFO] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [cloudron] skipped logging 73.231.102.189. {"time":"2025-02-27T15:38:10.354Z","count":83}
Feb 27 12:38:11 [NOTICE] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [core] recipient <nai@REDACTED.party> code=DENY msg="No such address" sender=mnkjex6v66jk9xy@osvetleniaz.cz
Feb 27 12:38:11 [INFO] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [core] hook=rcpt plugin=cloudron function=translate_rcpt_to params=<n5phlmuto61ss@REDACTED.party> retval=DENY msg="No such address"
Feb 27 12:38:11 [INFO] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [cloudron] skipped logging 73.231.102.189. {"time":"2025-02-27T15:38:10.354Z","count":84}
Feb 27 12:38:11 [NOTICE] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [core] recipient <n5phlmuto61ss@REDACTED.party> code=DENY msg="No such address" sender=mnkjex6v66jk9xy@osvetleniaz.cz
Feb 27 12:38:11 [INFO] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [core] hook=rcpt plugin=cloudron function=translate_rcpt_to params=<miyuki@REDACTED.party> retval=DENY msg="No such address"
Feb 27 12:38:11 [INFO] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [cloudron] skipped logging 73.231.102.189. {"time":"2025-02-27T15:38:10.354Z","count":85}
Feb 27 12:38:11 [NOTICE] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [core] recipient <miyuki@REDACTED.party> code=DENY msg="No such address" sender=mnkjex6v66jk9xy@osvetleniaz.cz
Feb 27 12:38:11 [INFO] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [core] hook=rcpt plugin=cloudron function=translate_rcpt_to params=<mayola@REDACTED.party> retval=DENY msg="No such address"
Feb 27 12:38:11 [INFO] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [cloudron] skipped logging 73.231.102.189. {"time":"2025-02-27T15:38:10.354Z","count":86}
Feb 27 12:38:11 [NOTICE] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [core] recipient <mayola@REDACTED.party> code=DENY msg="No such address" sender=mnkjex6v66jk9xy@osvetleniaz.cz
Feb 27 12:38:11 [INFO] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [core] hook=rcpt plugin=cloudron function=translate_rcpt_to params=<mailgbe@REDACTED.party> retval=DENY msg="No such address"
Feb 27 12:38:11 [INFO] [54F5ADCF-9C72-4670-AAE9-3E6C63E1D668.1] [cloudron] skipped logging 73.231.102.189. {"time":"2025-02-27T15:38:10.354Z","count":87}

This is also happening with other domains in the same fashion:

Service mail
Feb 27 12:54:42 [INFO] [F429887E-5F55-430E-B860-8050F6BAF674.1] [cloudron] skipped logging 95.54.40.239. {"time":"2025-02-27T15:54:42.190Z","count":67}
Feb 27 12:54:42 [NOTICE] [F429887E-5F55-430E-B860-8050F6BAF674.1] [core] recipient <c9map6j77udcqr5q@REDACTED2.com> code=DENY msg="No such address" sender=f00xlr2fqgnaifzp@muzikokulu.de
Feb 27 12:54:42 [INFO] [F429887E-5F55-430E-B860-8050F6BAF674.1] [core] hook=rcpt plugin=cloudron function=translate_rcpt_to params=<dominika.m@REDACTED2.com> retval=DENY msg="No such address"
Feb 27 12:54:42 [INFO] [F429887E-5F55-430E-B860-8050F6BAF674.1] [cloudron] skipped logging 95.54.40.239. {"time":"2025-02-27T15:54:42.190Z","count":68}
Feb 27 12:54:42 [NOTICE] [F429887E-5F55-430E-B860-8050F6BAF674.1] [core] recipient <dominika.m@REDACTED2.com> code=DENY msg="No such address" sender=f00xlr2fqgnaifzp@muzikokulu.de
Feb 27 12:54:42 [INFO] [F429887E-5F55-430E-B860-8050F6BAF674.1] [core] hook=rcpt plugin=cloudron function=translate_rcpt_to params=<98xhzz2vysb1s53@REDACTED2.com> retval=DENY msg="No such address"
Feb 27 12:54:42 [INFO] [F429887E-5F55-430E-B860-8050F6BAF674.1] [cloudron] skipped logging 95.54.40.239. {"time":"2025-02-27T15:54:42.190Z","count":69}
Feb 27 12:54:42 [NOTICE] [F429887E-5F55-430E-B860-8050F6BAF674.1] [core] recipient <98xhzz2vysb1s53@REDACTED2.com> code=DENY msg="No such address" sender=f00xlr2fqgnaifzp@muzikokulu.de
Feb 27 12:54:42 [INFO] [F429887E-5F55-430E-B860-8050F6BAF674.1] [core] hook=rcpt plugin=cloudron function=translate_rcpt_to params=<i47ed5cx8feqau@REDACTED2.com> retval=DENY msg="No such address"
Feb 27 12:54:42 [INFO] [F429887E-5F55-430E-B860-8050F6BAF674.1] [cloudron] skipped logging 95.54.40.239. {"time":"2025-02-27T15:54:42.190Z","count":70}
Feb 27 12:54:42 [NOTICE] [F429887E-5F55-430E-B860-8050F6BAF674.1] [core] recipient <i47ed5cx8feqau@REDACTED2.com> code=DENY msg="No such address" sender=f00xlr2fqgnaifzp@muzikokulu.de
Feb 27 12:54:42 [INFO] [F429887E-5F55-430E-B860-8050F6BAF674.1] [core] hook=rcpt plugin=cloudron function=translate_rcpt_to params=<9t0hjpa4ds65@REDACTED2.com> retval=DENY msg="No such address"
Feb 27 12:54:42 [INFO] [F429887E-5F55-430E-B860-8050F6BAF674.1] [cloudron] skipped logging 95.54.40.239. {"time":"2025-02-27T15:54:42.190Z","count":71}
Feb 27 12:54:42 [NOTICE] [F429887E-5F55-430E-B860-8050F6BAF674.1] [core] recipient <9t0hjpa4ds65@REDACTED2.com> code=DENY msg="No such address" sender=f00xlr2fqgnaifzp@muzikokulu.de
Feb 27 12:54:42 [INFO] [F429887E-5F55-430E-B860-8050F6BAF674.1] [core] hook=rcpt plugin=cloudron function=translate_rcpt_to params=<davidtaylor@REDACTED2.com> retval=DENY msg="No such address"
Feb 27 12:54:42 [INFO] [F429887E-5F55-430E-B860-8050F6BAF674.1] [cloudron] skipped logging 95.54.40.239. {"time":"2025-02-27T15:54:42.190Z","count":72}
Feb 27 12:54:42 [NOTICE] [F429887E-5F55-430E-B860-8050F6BAF674.1] [core] recipient <davidtaylor@REDACTED2.com> code=DENY msg="No such address" sender=f00xlr2fqgnaifzp@muzikokulu.de
Feb 27 12:54:42 [INFO] [F429887E-5F55-430E-B860-8050F6BAF674.1] [core] hook=rcpt plugin=cloudron function=translate_rcpt_to params=<cyt@REDACTED2.com> retval=DENY msg="No such address"
Feb 27 12:54:42 [INFO] [F429887E-5F55-430E-B860-8050F6BAF674.1] [cloudron] skipped logging 95.54.40.239. {"time":"2025-02-27T15:54:42.190Z","count":73}

I'm not using email capabilities at Cloudron in production.

Even though my understanding is emails are not sent, it's still a really odd behavior and I don't know exactly what to do.

ccfu

Yes, this is an attempted spam attack from a botnet pointlessly sending mails from compromised computers to non-existent addresses at regular intervals. If you look closely there will be 100 at a time, probably about once an hour to each targeted domain and each time from a different IP. I have no idea what the spammers are trying to achieve here other than maybe trying to find insecure or poorly configured mailservers, but we see it from time to time as well.

There is nothing much you can do about it but apart from annoying entries in the log nothing will happen as the mails will be rejected / the sender blocked and after a while (possibly a few weeks) they will just stop.

girish

Yes, a botnet. You can put that IP 95.54.40.239 in the blocklist - https://docs.cloudron.io/networking/#blocklist . Nothing can be done to prevent botnets from contacting your server other than blocking them .

The "count" in the logs are referring to how many times it was already rejected by Cloudron mail but it keeps coming back!

ccfu

@girish Is there really any point blocking the IPs in this case? They tend to only be used once and a short time later a different compromised computer will try to connect with a different IP address.

girish

@ccfu yeah, I tend to agree. But I think some people simply don't like looking at such things (similar to why they do fail2ban for repeated ssh attempts). So, I think blocking the IP mostly helps if the raw logs are annoying Note that we don't put this in the eventlog precisely because people get annoyed when looking at it in the UI...

ccfu

@girish What determines what is shown there and what not. With these botnets it seems always the first connection attempt shows up in the UI, the other 99 do not. So it is one denied connection per IP per x minutes?

In the UI it is possible to filter the display so that denied mails do not show up, but unfortunately this filter is not saved on page reload. That would be a nice possibility to have because during these annoying botnet "campaigns" if several domains are being targeted the UI still shows one entry for each domain per hour.

chetbaker

Thanks a lot, folks. The responses really useful and the situation quite annoying.

NCKNE

You can also follow this great guide and set up an automated blocklist update:
https://forum.cloudron.io/topic/3795/firewall-spamassassin-automatic-list-update/41?_=1740739173375

Might mitigate some (few) of these annoying spam attacks.