On 20-06-2013 19:48, Noel Jones wrote:
On 6/20/2013 5:49 AM, Andreas Kasenides wrote:
Apparently there has been some harvesting going on of mail addresses
where everything that has a "@" is picked up. The question is: was
this harvesting from our log files or our mail storage - a very
serious
possibility which would indicate a break in.
The Message-ID is stored as part of the message. Spammers harvest
these from web forums, email archives, and other public sources.
My conclusion is that the harvester is blindly picking usernames and
domains
from wherever it can (possibly from compromised systems but also
from
clear text net traffic) and pairing them at random!!
Almost certainly from harvesting publicly accessible web pages, not
from a system compromise.
Yes, these are often paired at random. Botnet operators have little
incentive to validate their user lists since it requires about the
same effort to send a few thousand messages as to send 100M messages.
This is more of a nuisance than an actual security issue. Assuming
your system properly rejects unknown recipients, it is unlikely to
cause any operational problems.
You should look into why you're getting temporary lookup failures in
your log. While that probably isn't a security issue, it is likely
reducing your performance and may also encourage some servers to
retry delivery, which multiplies the number of connections you
receive.
-- Noel Jones
OK, I hear you, will be upgrading to 2.10 to start using postscreen and
look into fixing the temporary failure (4xx) to permanent (5xx) to do
away with repeated connections.
thanks
regards
Andreas
