One of my mail servers (postfix 2.6) has been target of what seems to
me to be an attack.
The attacker tried to deliver messages to a non-existent user names
formed as a long hex
string. It only happened once from one particular client and kept going
for some time.
SMTP sessions were coming in one every second with three delivery
attampts each.
Here is a fragment of one single session:
Out: 220 prot.xxxx.eu ESMTP Postfix
In: EHLO xxxxxxxxxx
Out: 250-prot.xxxx.eu
Out: 250-PIPELINING
Out: 250-SIZE 10240000
Out: 250-VRFY
Out: 250-ETRN
Out: 250-ENHANCEDSTATUSCODES
Out: 250-8BITMIME
Out: 250 DSN
In: MAIL FROM:<x...@xx.xxx.xx> SIZE=2881 BODY=7BIT
Out: 250 2.1.0 Ok
In: RCPT TO:<35150aa4c74ba30f04ede17ca25f1...@xxxx.yy
Out: 451 4.3.0 <35150aa4c74ba30f04ede17ca25f1...@xxxx.yy>: Temporary
lookup
failure
In: RCPT TO:<357f21a54e272af6a629ff7657eae...@xxxx.yy>
Out: 451 4.3.0 <357f21a54e272af6a629ff7657eae...@xxxx.yy>: Temporary
lookup
failure
In: RSET
Out: 250 2.0.0 Ok
In: MAIL FROM:<xx...@xx.xxx.xx> SIZE=2881 BODY=7BIT
Out: 250 2.1.0 Ok
In: RCPT TO:<947a7c9627f3977247586a4fca58b...@xxxx.yy>
Out: 451 4.3.0 <947a7c9627f3977247586a4fca58b...@xxxxx.yy>: Temporary
lookup
failure
In: QUIT
Out: 221 2.0.0 Bye
Is this an attack of some sort?
