On 20/06/2013 13:49, Andreas Kasenides wrote:
On 19-06-2013 14:37, lst_ho...@kwsoft.de wrote:Zitat von Andreas Kasenides <andr...@cymail.eu>:One of my mail servers (postfix 2.6) has been target of what seems to me to be an attack. The attacker tried to deliver messages to a non-existent user names formed as a long hex string. It only happened once from one particular client and kept going for some time. SMTP sessions were coming in one every second with three delivery attampts each. Here is a fragment of one single session: Out: 220 prot.xxxx.eu ESMTP Postfix In: EHLO xxxxxxxxxx Out: 250-prot.xxxx.eu Out: 250-PIPELINING Out: 250-SIZE 10240000 Out: 250-VRFY Out: 250-ETRN Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: MAIL FROM:<x...@xx.xxx.xx> SIZE=2881 BODY=7BIT Out: 250 2.1.0 Ok In: RCPT TO:<35150aa4c74ba30f04ede17ca25f1...@xxxx.yy Out: 451 4.3.0 <35150aa4c74ba30f04ede17ca25f1...@xxxx.yy>: Temporary lookup failure In: RCPT TO:<357f21a54e272af6a629ff7657eae...@xxxx.yy> Out: 451 4.3.0 <357f21a54e272af6a629ff7657eae...@xxxx.yy>: Temporary lookup failure In: RSET Out: 250 2.0.0 Ok In: MAIL FROM:<xx...@xx.xxx.xx> SIZE=2881 BODY=7BIT Out: 250 2.1.0 Ok In: RCPT TO:<947a7c9627f3977247586a4fca58b...@xxxx.yy> Out: 451 4.3.0 <947a7c9627f3977247586a4fca58b...@xxxxx.yy>: Temporary lookup failure In: QUIT Out: 221 2.0.0 Bye Is this an attack of some sort?The address harvester of the spammers sometimes collect everything which has a "@" in it and therefore even use message-ids in their spamlist. Nothing to worry about Regards AndreasHere is recap/explanation. After looking at this for several days I think I have a possible explanation very similar to the reply above. Apparently we are dealing with a blind emai address harvester. Note that all user names (string before @) are all 32 hex characters. Going into my log files I noticed that such values appear in the message-id's during SMTP transactions but also as part of the header in the actual messages. Apparently there has been some harvesting going on of mail addresses where everything that has a "@" is picked up. The question is: was this harvesting from our log files or our mail storage - a very serious possibility which would indicate a break in. It turns out that each type SMTP server assigns a slightly different message-id, so checking the logs and quierying a few domains it turns out that 32 character long message-id's are assigned by EXIM. Sigh of relief, I ony operate with Postfix. My conclusion is that the harvester is blindly picking usernames and domains from wherever it can (possibly from compromised systems but also from clear text net traffic) and pairing them at random!! Any other ideas? regards Andreas
I have in my logs these kind of recipients too. So you cannot do anything with this.
I suggest you to upgrade to postfix 2.8+ and start using postscreen. Here, a 95%+ of spams is blocked by this.
BTW, I think you still have some problems with your mail system because the lookup failure (show logs).
Levi
smime.p7s
Description: S/MIME Cryptographic Signature
