|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Tarpit "User unknown in local recipient table"?
From: Adhamh Findlay (postfix
adhamh.com)
Date: Sat Jul 01 2006 - 09:21:42 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Greetings,
For lack of a better description it seems that I am being the victim of a
spam dictionary attack. Its not a DOS situation, but I am getting messages
to unknown users at a rate of at least once a minute. The messages are
coming from different servers, but there seems to be a set of servers
sending these emails out.
For example if I grep my mail log file "marcell", I find one message a day
to some user that has the "marcell" string in the user name. If I then grep
the log file for one of the IP addresses that sent such a message I get any
where from 1 to 736 hits, so sometimes the same machine is doing this but
not always.
Expert from marcell grep:
Jun 24 04:30:52 ns-foo.comg postfix/smtpd[15998]: NOQUEUE: reject: RCPT from
adagio.vigi.net[59.124.92.112]: 550 <marcellcrissmanfoo.comg>: Recipient
address rejected: User unknown in local recipient table; from=<>
to=<marcellcrissmanfoo.comg> proto=SMTP helo=<adagio.vigi.net>
Jun 24 08:51:24 ns-foo.comg postfix/smtpd[16937]: NOQUEUE: reject: RCPT from
mx2.fabbricadigitale.it[217.169.111.37]: 550 <marcellofoo.comg>: Recipient
address rejected: User unknown in local recipient table; from=<>
to=<marcellofoo.comg> proto=ESMTP helo=<mx8.fdnet.net>
Excerpt from IP grep:
Jun 24 04:30:50 ns-foo.com postfix/smtpd[15998]: connect from
adagio.vigi.net[59.124.92.112]
Jun 24 04:30:52 ns-foo.com postfix/smtpd[15998]: NOQUEUE: reject: RCPT from
adagio.vigi.net[59.124.92.112]: 550 <marcellcrissmanfoo.com>: Recipient
address rejected: User unknown in local recipient table; from=<>
to=<marcellcrissmanfoo.com> proto=SMTP helo=<adagio.vigi.net>
Jun 24 04:30:52 ns-foo.com postfix/smtpd[15998]: disconnect from
adagio.vigi.net[59.124.92.112]
Jun 28 23:34:17 ns-foo.com postfix/smtpd[28782]: connect from
adagio.vigi.net[59.124.92.112]
Jun 28 23:34:18 ns-foo.com postfix/smtpd[28782]: NOQUEUE: reject: RCPT from
adagio.vigi.net[59.124.92.112]: 550 <schellercierrafoo.com>: Recipient
address rejected: User unknown in local recipient table; from=<>
to=<schellercierrafoo.com> proto=SMTP helo=<adagio.vigi.net>
Jun 28 23:34:18 ns-foo.com postfix/smtpd[28782]: disconnect from
adagio.vigi.net[59.124.92.112]
If anyone is interested I can send the more detailed results offline.
Does anyone have suggestions on how to do with this? I could grep through
the log files and start blocking ip addresses, but I'd like something a
little more elegant.
Would it be possible to start tarpitting this servers to make them pay a
higher price for sending these messages?
Thanks,
Adhamh
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]