Loading ...
Sorry, an error occurred while loading the content.

293941Re: Is this an attack?

Expand Messages
  • Andreas Kasenides
    Jun 20, 2013
      On 20-06-2013 19:48, Noel Jones wrote:
      > On 6/20/2013 5:49 AM, Andreas Kasenides wrote:
      >
      >> Apparently there has been some harvesting going on of mail addresses
      >> where everything that has a "@" is picked up. The question is: was
      >> this harvesting from our log files or our mail storage - a very
      >> serious
      >> possibility which would indicate a break in.
      >
      > The Message-ID is stored as part of the message. Spammers harvest
      > these from web forums, email archives, and other public sources.
      >
      >> My conclusion is that the harvester is blindly picking usernames and
      >> domains
      >> from wherever it can (possibly from compromised systems but also
      >> from
      >> clear text net traffic) and pairing them at random!!
      >
      > Almost certainly from harvesting publicly accessible web pages, not
      > from a system compromise.
      >
      > Yes, these are often paired at random. Botnet operators have little
      > incentive to validate their user lists since it requires about the
      > same effort to send a few thousand messages as to send 100M messages.
      >
      > This is more of a nuisance than an actual security issue. Assuming
      > your system properly rejects unknown recipients, it is unlikely to
      > cause any operational problems.
      >
      > You should look into why you're getting temporary lookup failures in
      > your log. While that probably isn't a security issue, it is likely
      > reducing your performance and may also encourage some servers to
      > retry delivery, which multiplies the number of connections you
      > receive.
      >
      >
      >
      > -- Noel Jones

      OK, I hear you, will be upgrading to 2.10 to start using postscreen and
      look into fixing the temporary failure (4xx) to permanent (5xx) to do
      away with repeated connections.

      thanks
      regards
      Andreas
    • Show all 14 messages in this topic