Monday, July 12, 2004

mail dictionary attacks

It looks like one of the domains that I administer is being dictionary attacked for spam. It looks like it is adistributed attack, where all of the requests are coming from what appears to be zombie machines. The thing that doesn't seem all that smart about the attack is that they are using a first name + last name in the user name.



Jul 13 00:32:46 www postfix/smtpd[23202]: 689971A2C019: client=sccrmxc19.comcast.net[204.127.202.99]
Jul 13 00:32:46 www postfix/smtpd[23202]: 689971A2C019: reject: RCPT
from sccrmxc19.comcast.net[204.127.202.99]: 450
: User unknown in local recipient table;
from=<> to= proto=ESMTP
helo=
Jul 13 00:32:48 www postfix/smtpd[23202]: disconnect from sccrmxc19.comcast.net[204.127.202.99]
Jul 13 00:32:49 www postfix/smtpd[7875]: warning: 207.178.128.39: address not listed for hostname mail3.iswest.com
Jul 13 00:32:49 www postfix/smtpd[7875]: connect from unknown[207.178.128.39]
Jul 13 00:32:50 www postfix/smtpd[7875]: 24D591A2C019: client=unknown[207.178.128.39]
Jul 13 00:32:50 www postfix/smtpd[7875]: 24D591A2C019: reject: RCPT
from unknown[207.178.128.39]: 450 : User
unknown in local recipient table; from=<>
to= proto=SMTP helo=
Jul 13 00:32:51 www postfix/smtpd[7875]: disconnect from unknown[207.178.128.39]
Jul 13 00:32:52 www postfix/smtpd[15756]: connect from nutshell.tislabs.com[192.94.214.100]
Jul 13 00:32:52 www postfix/smtpd[15756]: 96BA31A2C019: client=nutshell.tislabs.com[192.94.214.100]
Jul 13 00:32:52 www postfix/smtpd[15756]: 96BA31A2C019: reject: RCPT
from nutshell.tislabs.com[192.94.214.100]: 450
: User unknown in local recipient table;
from=<> to= proto=ESMTP
helo=
Jul 13 00:32:57 www postfix/smtpd[7776]: connect from taloa.unice.fr[134.59.1.7]
Jul 13 00:32:57 www postfix/smtpd[7776]: CF9C51A2C019: client=taloa.unice.fr[134.59.1.7]
Jul 13 00:32:57 www postfix/smtpd[7776]: CF9C51A2C019: reject: RCPT
from taloa.unice.fr[134.59.1.7]: 450 :
User unknown in local recipient table;
from= to=
proto=ESMTP helo=






It seems that if the spammers really wanted to find valid user names,
they would just use first names as the usernames. I would think that
by using FirstName+LastName they will only be 25% as likely to find
valid usernames.

This makes me want to write a script that goes through my logs and then notifies the isp about the zombies on their networks.



update:

This mail attack was starting to have a load on my server.  There are a
lot of smtp connections to the server, and this is causing other
connections to take a long time.  I have looked through the logs for
the past two days, and I have got a list of the ip addresses.  There
were about 850 computers that sent 12000 email requests.




I have changed postfix to reject connections from those computers.    I will look at the logs tomorrow, and update the list




If this doesn't work, I will move the mx record for this domain to a different machine.