We are currently subjected to a persistent penetration attempt that
apparently is directed against our smtp authentication. The user
names employed at the present time are all local address portions of a
single user's virtual domain which have no means of authentication.
So the attack is futile in that sense.
However, the question arises as to how these local delivery addresses
are being harvested? Some of these are used very infrequently and
some of them have not been active for years. It seems remarkable that
addresses that are known to only be used for one purpose, say bugzilla
or readhat network, are found in these attacks.
Is there some way for remote unauthenticated users to query postfix in
such a fashion as to effectively walk the virtual domain list for
local delivery addresses? If so then what is it and how can it be
prevented. Or should it?
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:byrn...@harte-lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
