For the last week daily from 4PM-5PM PST our mail server has been bombed by 10-15K emails, all being sent from messagelabs.com mail servers, namely mail2.bemta23.messagelabs.com and mail2.bemta24.messagelabs.com. We have attempted to contact messagelabs to resolve this but cannot make our way through Symantec support to contact messagelabs (thry claim we can't talk to messagelabs unless we purchase a support contract). Does anybody know how we can contact them to stop the daily email attacks their servers are subjecting us to?
Pay to stop them from mail bombing our server? 15K+ plus emails per hour is a DOS attack!
You're not a Symantec customer, correct? If not, don't expect to get any help on this.
Well, if you're not willing to pay, then you have a problem. If this is from a customer on the Messagelabs platform that's mass-mailing you, without a logged call they cannot assist.
Has anyone else figured out a way to contact support about this?
This is happening to one of our domains as well, and it's pretty clearly a malicious actor from a Brazilian Azure IP address. They are spoofing thousands of emails per hour, and they're all flying through server-11.tower-320.messagelabs.comThe Broadcom Support person directed me to these forums for help, but it's not clear that there's any help to be had...Don't they want to know about abuse of their systems??!
John,The only thing clear about the sender is that they are relaying emails through multiple hosts from multiple places - but virtually all of them have the first hop in the header as something.something.messagelabs.com.Your customer in this case either IS the malicious actor or one of your customers is compromised. I have no insight into who the sender is other than the Reply-To address that they put in from various domains.
The only way we are seeing these is because we are getting the NDRs, since the 'From' address they are listing is one of our customers. Here is a sample from pasting one of these headers into Azure's MHA:
It then relays from 100.112.132.75 to server-4.bemta.az-b.us-west-2.aws.symcld.net (which looks like mail1.bemta24.messagelabs.com)This is one of thousands of hourly messages that have been sent out constantly - and a great many are sourcing from that 126.96.36.199 IP.The From address is spoofed, and the spoofed party has DKIM, SPF, and DMARC properly set up (to reject) - but as they are getting the NDRs of the spoofed messages, we see these original messages attached.
Someone is very clearly relaying the spoofed messages through several of the messagelabs.com servers, and I can't find any help for it, since I am not a customer. And we don't know which customer is either compromised or doing malicious activity themselves.Paul KP.S. I have already notified Microsoft of the malicious actor's use of an Azure IP address to initiate all of these spoofed emails, by the way, since 188.8.131.52 seems to be within Azure.