Loading ...
Sorry, an error occurred while loading the content.

293941Re: Is this an attack?

Expand Messages
  • Andreas Kasenides
    Jun 20, 2013
      On 20-06-2013 19:48, Noel Jones wrote:
      > On 6/20/2013 5:49 AM, Andreas Kasenides wrote:
      >> Apparently there has been some harvesting going on of mail addresses
      >> where everything that has a "@" is picked up. The question is: was
      >> this harvesting from our log files or our mail storage - a very
      >> serious
      >> possibility which would indicate a break in.
      > The Message-ID is stored as part of the message. Spammers harvest
      > these from web forums, email archives, and other public sources.
      >> My conclusion is that the harvester is blindly picking usernames and
      >> domains
      >> from wherever it can (possibly from compromised systems but also
      >> from
      >> clear text net traffic) and pairing them at random!!
      > Almost certainly from harvesting publicly accessible web pages, not
      > from a system compromise.
      > Yes, these are often paired at random. Botnet operators have little
      > incentive to validate their user lists since it requires about the
      > same effort to send a few thousand messages as to send 100M messages.
      > This is more of a nuisance than an actual security issue. Assuming
      > your system properly rejects unknown recipients, it is unlikely to
      > cause any operational problems.
      > You should look into why you're getting temporary lookup failures in
      > your log. While that probably isn't a security issue, it is likely
      > reducing your performance and may also encourage some servers to
      > retry delivery, which multiplies the number of connections you
      > receive.
      > -- Noel Jones

      OK, I hear you, will be upgrading to 2.10 to start using postscreen and
      look into fixing the temporary failure (4xx) to permanent (5xx) to do
      away with repeated connections.

    • Show all 14 messages in this topic