293941Re: Is this an attack?
- Jun 20, 2013On 20-06-2013 19:48, Noel Jones wrote:
> On 6/20/2013 5:49 AM, Andreas Kasenides wrote:OK, I hear you, will be upgrading to 2.10 to start using postscreen and
>> Apparently there has been some harvesting going on of mail addresses
>> where everything that has a "@" is picked up. The question is: was
>> this harvesting from our log files or our mail storage - a very
>> possibility which would indicate a break in.
> The Message-ID is stored as part of the message. Spammers harvest
> these from web forums, email archives, and other public sources.
>> My conclusion is that the harvester is blindly picking usernames and
>> from wherever it can (possibly from compromised systems but also
>> clear text net traffic) and pairing them at random!!
> Almost certainly from harvesting publicly accessible web pages, not
> from a system compromise.
> Yes, these are often paired at random. Botnet operators have little
> incentive to validate their user lists since it requires about the
> same effort to send a few thousand messages as to send 100M messages.
> This is more of a nuisance than an actual security issue. Assuming
> your system properly rejects unknown recipients, it is unlikely to
> cause any operational problems.
> You should look into why you're getting temporary lookup failures in
> your log. While that probably isn't a security issue, it is likely
> reducing your performance and may also encourage some servers to
> retry delivery, which multiplies the number of connections you
> -- Noel Jones
look into fixing the temporary failure (4xx) to permanent (5xx) to do
away with repeated connections.
- << Previous post in topic Next post in topic >>