This page looks plain and unstyled because you're using a non-standard compliant browser. To see it in its best form, please upgrade to a browser that supports web standards. It's free and painless.

Paul's Time Sink

| Main | Albums |

« | »

mail dictionary attacks

Paul Westbrook | 12 July, 2004 18:25

It looks like one of the domains that I administer is being dictionary attacked for spam. It looks like it is adistributed attack, where all of the requests are coming from what appears to be zombie machines. The thing that doesn't seem all that smart about the attack is that they are using a first name + last name in the user name.

Jul 13 00:32:46 www postfix/smtpd[23202]: 689971A2C019: client=sccrmxc19.comcast.net[204.127.202.99]
Jul 13 00:32:46 www postfix/smtpd[23202]: 689971A2C019: reject: RCPT from sccrmxc19.comcast.net[204.127.202.99]: 450 : User unknown in local recipient table; from=<> to= proto=ESMTP helo=
Jul 13 00:32:48 www postfix/smtpd[23202]: disconnect from sccrmxc19.comcast.net[204.127.202.99]
Jul 13 00:32:49 www postfix/smtpd[7875]: warning: 207.178.128.39: address not listed for hostname mail3.iswest.com
Jul 13 00:32:49 www postfix/smtpd[7875]: connect from unknown[207.178.128.39]
Jul 13 00:32:50 www postfix/smtpd[7875]: 24D591A2C019: client=unknown[207.178.128.39]
Jul 13 00:32:50 www postfix/smtpd[7875]: 24D591A2C019: reject: RCPT from unknown[207.178.128.39]: 450 : User unknown in local recipient table; from=<> to= proto=SMTP helo=
Jul 13 00:32:51 www postfix/smtpd[7875]: disconnect from unknown[207.178.128.39]
Jul 13 00:32:52 www postfix/smtpd[15756]: connect from nutshell.tislabs.com[192.94.214.100]
Jul 13 00:32:52 www postfix/smtpd[15756]: 96BA31A2C019: client=nutshell.tislabs.com[192.94.214.100]
Jul 13 00:32:52 www postfix/smtpd[15756]: 96BA31A2C019: reject: RCPT from nutshell.tislabs.com[192.94.214.100]: 450 : User unknown in local recipient table; from=<> to= proto=ESMTP helo=
Jul 13 00:32:57 www postfix/smtpd[7776]: connect from taloa.unice.fr[134.59.1.7]
Jul 13 00:32:57 www postfix/smtpd[7776]: CF9C51A2C019: client=taloa.unice.fr[134.59.1.7]
Jul 13 00:32:57 www postfix/smtpd[7776]: CF9C51A2C019: reject: RCPT from taloa.unice.fr[134.59.1.7]: 450 : User unknown in local recipient table; from= to= proto=ESMTP helo=





It seems that if the spammers really wanted to find valid user names, they would just use first names as the usernames. I would think that by using FirstName+LastName they will only be 25% as likely to find valid usernames.

This makes me want to write a script that goes through my logs and then notifies the isp about the zombies on their networks.



update:
This mail attack was starting to have a load on my server.  There are a lot of smtp connections to the server, and this is causing other connections to take a long time.  I have looked through the logs for the past two days, and I have got a list of the ip addresses.  There were about 850 computers that sent 12000 email requests.

I have changed postfix to reject connections from those computers.    I will look at the logs tomorrow, and update the list

If this doesn't work, I will move the mx record for this domain to a different machine.

Computer :: Comment (0) :: Permalink :: Trackbacks (0)

Add comment

Topic

Text

Your name

Your email address

Your personal page (if any)




Powered by LifeType
Design by Book of Styles