On 19-06-2013 14:37, lst_ho...@kwsoft.de wrote:
Zitat von Andreas Kasenides <andr...@cymail.eu>:
One of my mail servers (postfix 2.6) has been target of what seems
to me to be an attack.
The attacker tried to deliver messages to a non-existent user names
formed as a long hex
string. It only happened once from one particular client and kept
going for some time.
SMTP sessions were coming in one every second with three delivery
attampts each.
Here is a fragment of one single session:
Out: 220 prot.xxxx.eu ESMTP Postfix
In: EHLO xxxxxxxxxx
Out: 250-prot.xxxx.eu
Out: 250-PIPELINING
Out: 250-SIZE 10240000
Out: 250-VRFY
Out: 250-ETRN
Out: 250-ENHANCEDSTATUSCODES
Out: 250-8BITMIME
Out: 250 DSN
In: MAIL FROM:<x...@xx.xxx.xx> SIZE=2881 BODY=7BIT
Out: 250 2.1.0 Ok
In: RCPT TO:<35150aa4c74ba30f04ede17ca25f1...@xxxx.yy
Out: 451 4.3.0 <35150aa4c74ba30f04ede17ca25f1...@xxxx.yy>:
Temporary lookup
failure
In: RCPT TO:<357f21a54e272af6a629ff7657eae...@xxxx.yy>
Out: 451 4.3.0 <357f21a54e272af6a629ff7657eae...@xxxx.yy>:
Temporary lookup
failure
In: RSET
Out: 250 2.0.0 Ok
In: MAIL FROM:<xx...@xx.xxx.xx> SIZE=2881 BODY=7BIT
Out: 250 2.1.0 Ok
In: RCPT TO:<947a7c9627f3977247586a4fca58b...@xxxx.yy>
Out: 451 4.3.0 <947a7c9627f3977247586a4fca58b...@xxxxx.yy>:
Temporary lookup
failure
In: QUIT
Out: 221 2.0.0 Bye
Is this an attack of some sort?
The address harvester of the spammers sometimes collect everything
which has a "@" in it and therefore even use message-ids in their
spamlist.
Nothing to worry about
Regards
Andreas
Here is recap/explanation.
After looking at this for several days I think I have a possible
explanation very similar to the reply above. Apparently we are
dealing with a blind emai address harvester. Note that all user names
(string before @) are all 32 hex characters.
Going into my log files I noticed that such values appear in the
message-id's during SMTP transactions but also as part of the header
in the actual messages.
Apparently there has been some harvesting going on of mail addresses
where everything that has a "@" is picked up. The question is: was
this harvesting from our log files or our mail storage - a very serious
possibility which would indicate a break in.
It turns out that each type SMTP server assigns a slightly different
message-id,
so checking the logs and quierying a few domains it turns out that 32
character
long message-id's are assigned by EXIM. Sigh of relief, I ony operate
with Postfix.
My conclusion is that the harvester is blindly picking usernames and
domains
from wherever it can (possibly from compromised systems but also from
clear text net traffic) and pairing them at random!!
Any other ideas?
regards
Andreas
