Hi y'all!

I'm running a Postfix mailsystem on our server, and the daily log is 10 megs and counting. The reason is a flow of spammers trying to mail us spam alphabetically (or so it seems), by trying different names.
The approaching hosts are all different, and are all valid, as far as I've tested.

This is a typical approach, with reject from Postfix:

Mar 24 16:36:12 hst postfix/smtpd[5992]: [ID 197553 mail.info] connect from jcmwsm02a.mwjc.easylink.com[165.251.41.49]
Mar 24 16:36:12 hst postfix/smtpd[5992]: [ID 197553 mail.info] 694396A113: client=jcmwsm02a.mwjc.easylink.com[165.251.41.49]
Mar 24 16:36:12 hst postfix/smtpd[5992]: [ID 197553 mail.info] 694396A113: reject: RCPT from jcmwsm02a.mwjc.easylink.com[165.251.41.49]: 450 <Stacey@boomdesign.no>: User unknown in local recipient table; from=<> to=<Stacey@boomdesign.no> proto=ESMTP helo=<jcmwsm02.mwjc.easylink.com>

The strange thing here is that it doesn't look like an alphabetical scan, Stacey here is one of the shortest names tried. Usually the requested mailuser is like PetroniusBWallington@boomdesign.no or WilliamHendersonWalker@boomdesign.no.

The frequency of rejects in the log file:

root@hst [/var/logger/mail]# cat the_mail_log.20040323 | grep -c reject
12474
which, by php 😃 :

$n=12474;
$day=86400;
$res=$day/$n;

gives us an approach every 6.92640692641 second.

This has been going on since mid-february, and the approaches has increased every day.

Anyone having similar problems, or seen anything like it?

Checked around, but haven't got any anwers so far.

knutm :-)

    Depending on how you have your mailserver setup, you can have it block certain ips (or possibly an ip range/subnet). If you block'em, then they'll have to spend more money for IPs to send you stuff, which you'll block......so it costs them money and not you (as for as cpu time, bandwidth, etc).

      Originally posted by mtimdog
      they'll have to spend more money for IPs to send you stuff, which you'll block......

      Or just use relays left open by stupid people who don't know what they're doing :mad:

        stupid administrators:eek:...well I never

          Hehe, yeah, it might be the administrators.
          If so, I've got a lot of cracked mailservers in my list.

          But what about spoofing the host/ip? How difficult is that, actually?

          If that is easy, all the spammer has to do is finding valid hosts and set up his prog (the prog of evil!) to fetch the stuff from an internal list while spewing out garb.

          But the ineffectivity of it all baffles me.
          What are the odds that the recipient MaryanneEJimenez exists at any random domain?
          Or HollieXChaney or MontyLDiggs?

          My favourite is HarlanXMcmillan 😃
          Or maybe KristopherQPlummer.

          Well, anyway - I'm gonna filter all the syslogs into a db, to get the domains sorted.
          Perhaps I'll publish the url here later on..

          knutm :-)

            If you ever gonna write a crime novel and can't think of a name for the main character, contact me.

            We can work something out.

            knutm ;-)

              Originally posted by mogster
              If you ever gonna write a crime novel and can't think of a name for the main character, contact me.

              We can work something out.

              knutm ;-)

              LOL!

              "I was a teenage spammer, by:"

                Jah, or:

                "Grandpa was a soldier in the Flame Wars; by:"

                I'll set up the stuff template-ish, so that you just write a {name_of_main_character} where the supposed name should be, then you can test 'till you find one with a suitable dubious, anti-hero flair.

                Perhaps even the subcharacters, like {lavish_blonde_smoking_a_cigarette} and {thug_with_gun_not_very_bright}

                Hey!, I'm gonna make a living out of this! 😃

                knutm :-)

                  Write a Reply...