On 6/20/2013 5:49 AM, Andreas Kasenides wrote: > Apparently there has been some harvesting going on of mail addresses > where everything that has a "@" is picked up. The question is: was > this harvesting from our log files or our mail storage - a very serious > possibility which would indicate a break in.
The Message-ID is stored as part of the message. Spammers harvest these from web forums, email archives, and other public sources. > My conclusion is that the harvester is blindly picking usernames and > domains > from wherever it can (possibly from compromised systems but also from > clear text net traffic) and pairing them at random!! Almost certainly from harvesting publicly accessible web pages, not from a system compromise. Yes, these are often paired at random. Botnet operators have little incentive to validate their user lists since it requires about the same effort to send a few thousand messages as to send 100M messages. This is more of a nuisance than an actual security issue. Assuming your system properly rejects unknown recipients, it is unlikely to cause any operational problems. You should look into why you're getting temporary lookup failures in your log. While that probably isn't a security issue, it is likely reducing your performance and may also encourage some servers to retry delivery, which multiplies the number of connections you receive. -- Noel Jones
