From: Sandy Drobic (postfix-usersjapantest.homelinux.com)
Date: Sat Jul 01 2006 - 14:26:20 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Adhamh Findlay wrote:
> Greetings,
>
> For lack of a better description it seems that I am being the victim of a
> spam dictionary attack. Its not a DOS situation, but I am getting messages
> to unknown users at a rate of at least once a minute. The messages are
> coming from different servers, but there seems to be a set of servers
> sending these emails out.

Nothing to worry about. A real dictionary attack from a bot net would
likely tie up all your available resources.

> For example if I grep my mail log file "marcell", I find one message a day
> to some user that has the "marcell" string in the user name. If I then grep
> the log file for one of the IP addresses that sent such a message I get any
> where from 1 to 736 hits, so sometimes the same machine is doing this but
> not always.
>
> Expert from marcell grep:
>
> Jun 24 04:30:52 ns-foo.comg postfix/smtpd[15998]: NOQUEUE: reject: RCPT from
> adagio.vigi.net[59.124.92.112]: 550 <marcellcrissmanfoo.comg>: Recipient
> address rejected: User unknown in local recipient table; from=<>
> to=<marcellcrissmanfoo.comg> proto=SMTP helo=<adagio.vigi.net>
>
> Jun 24 08:51:24 ns-foo.comg postfix/smtpd[16937]: NOQUEUE: reject: RCPT from
> mx2.fabbricadigitale.it[217.169.111.37]: 550 <marcellofoo.comg>: Recipient
> address rejected: User unknown in local recipient table; from=<>
> to=<marcellofoo.comg> proto=ESMTP helo=<mx8.fdnet.net>

This seems more like backscatter from poorly administered servers that do
not implement recipient validation. Probably a spammer uses randomly
created addresses from your domain as sender addresses. This happens to
all of us sometime.

>
> Excerpt from IP grep:
>
> Jun 24 04:30:50 ns-foo.com postfix/smtpd[15998]: connect from
> adagio.vigi.net[59.124.92.112]
> Jun 24 04:30:52 ns-foo.com postfix/smtpd[15998]: NOQUEUE: reject: RCPT from
> adagio.vigi.net[59.124.92.112]: 550 <marcellcrissmanfoo.com>: Recipient
> address rejected: User unknown in local recipient table; from=<>
> to=<marcellcrissmanfoo.com> proto=SMTP helo=<adagio.vigi.net>
> Jun 24 04:30:52 ns-foo.com postfix/smtpd[15998]: disconnect from
> adagio.vigi.net[59.124.92.112]
>
> Jun 28 23:34:17 ns-foo.com postfix/smtpd[28782]: connect from
> adagio.vigi.net[59.124.92.112]
> Jun 28 23:34:18 ns-foo.com postfix/smtpd[28782]: NOQUEUE: reject: RCPT from
> adagio.vigi.net[59.124.92.112]: 550 <schellercierrafoo.com>: Recipient
> address rejected: User unknown in local recipient table; from=<>
> to=<schellercierrafoo.com> proto=SMTP helo=<adagio.vigi.net>
> Jun 28 23:34:18 ns-foo.com postfix/smtpd[28782]: disconnect from
> adagio.vigi.net[59.124.92.112]
>
> If anyone is interested I can send the more detailed results offline.
>
> Does anyone have suggestions on how to do with this? I could grep through
> the log files and start blocking ip addresses, but I'd like something a
> little more elegant.
>
> Would it be possible to start tarpitting this servers to make them pay a
> higher price for sending these messages?

That would be more like pissing into the storm. Spammers don't really care
if you tie up a few bot resources. They can use thousands and won't
notice. They also don't care if you start a little pissing match with the
backscatter servers. I even doubt that the admins of the backscatter
servers notice what you are doing. :-(
You on the other hand will notice the additional use of resources.

The best you can do is to monitor your resources, block some of the most
persistent spammers and tune your configuration in a way, that rejects and
disconnects the client as fast as possible if the backscatter or direct
spam attempts are starting to hurt you.

Even if it is very annoying, you can't really do anything to stop
backscatter except reject it and block the most troublesome spam sources.

Sandy

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]