Loading ...
Sorry, an error occurred while loading the content.
 

Re: Tarpit "User unknown in local recipient table"?

Expand Messages
  • Sandy Drobic
    ... Nothing to worry about. A real dictionary attack from a bot net would likely tie up all your available resources. ... This seems more like backscatter from
    Message 1 of 6 , Jul 1, 2006
      Adhamh Findlay wrote:
      > Greetings,
      >
      > For lack of a better description it seems that I am being the victim of a
      > spam dictionary attack. Its not a DOS situation, but I am getting messages
      > to unknown users at a rate of at least once a minute. The messages are
      > coming from different servers, but there seems to be a set of servers
      > sending these emails out.

      Nothing to worry about. A real dictionary attack from a bot net would
      likely tie up all your available resources.

      > For example if I grep my mail log file "marcell", I find one message a day
      > to some user that has the "marcell" string in the user name. If I then grep
      > the log file for one of the IP addresses that sent such a message I get any
      > where from 1 to 736 hits, so sometimes the same machine is doing this but
      > not always.
      >
      > Expert from marcell grep:
      >
      > Jun 24 04:30:52 ns-foo.comg postfix/smtpd[15998]: NOQUEUE: reject: RCPT from
      > adagio.vigi.net[59.124.92.112]: 550 <marcellcrissman@...>: Recipient
      > address rejected: User unknown in local recipient table; from=<>
      > to=<marcellcrissman@...> proto=SMTP helo=<adagio.vigi.net>
      >
      > Jun 24 08:51:24 ns-foo.comg postfix/smtpd[16937]: NOQUEUE: reject: RCPT from
      > mx2.fabbricadigitale.it[217.169.111.37]: 550 <marcello@...>: Recipient
      > address rejected: User unknown in local recipient table; from=<>
      > to=<marcello@...> proto=ESMTP helo=<mx8.fdnet.net>

      This seems more like backscatter from poorly administered servers that do
      not implement recipient validation. Probably a spammer uses randomly
      created addresses from your domain as sender addresses. This happens to
      all of us sometime.

      >
      > Excerpt from IP grep:
      >
      > Jun 24 04:30:50 ns-foo.com postfix/smtpd[15998]: connect from
      > adagio.vigi.net[59.124.92.112]
      > Jun 24 04:30:52 ns-foo.com postfix/smtpd[15998]: NOQUEUE: reject: RCPT from
      > adagio.vigi.net[59.124.92.112]: 550 <marcellcrissman@...>: Recipient
      > address rejected: User unknown in local recipient table; from=<>
      > to=<marcellcrissman@...> proto=SMTP helo=<adagio.vigi.net>
      > Jun 24 04:30:52 ns-foo.com postfix/smtpd[15998]: disconnect from
      > adagio.vigi.net[59.124.92.112]
      >
      > Jun 28 23:34:17 ns-foo.com postfix/smtpd[28782]: connect from
      > adagio.vigi.net[59.124.92.112]
      > Jun 28 23:34:18 ns-foo.com postfix/smtpd[28782]: NOQUEUE: reject: RCPT from
      > adagio.vigi.net[59.124.92.112]: 550 <schellercierra@...>: Recipient
      > address rejected: User unknown in local recipient table; from=<>
      > to=<schellercierra@...> proto=SMTP helo=<adagio.vigi.net>
      > Jun 28 23:34:18 ns-foo.com postfix/smtpd[28782]: disconnect from
      > adagio.vigi.net[59.124.92.112]
      >
      > If anyone is interested I can send the more detailed results offline.
      >
      > Does anyone have suggestions on how to do with this? I could grep through
      > the log files and start blocking ip addresses, but I'd like something a
      > little more elegant.
      >
      > Would it be possible to start tarpitting this servers to make them pay a
      > higher price for sending these messages?

      That would be more like pissing into the storm. Spammers don't really care
      if you tie up a few bot resources. They can use thousands and won't
      notice. They also don't care if you start a little pissing match with the
      backscatter servers. I even doubt that the admins of the backscatter
      servers notice what you are doing. :-(
      You on the other hand will notice the additional use of resources.

      The best you can do is to monitor your resources, block some of the most
      persistent spammers and tune your configuration in a way, that rejects and
      disconnects the client as fast as possible if the backscatter or direct
      spam attempts are starting to hurt you.

      Even if it is very annoying, you can't really do anything to stop
      backscatter except reject it and block the most troublesome spam sources.

      Sandy
    • mouss
      ... As sandy said, this is more probably a joe job attack. addresses from your domains are used as sender in spam/virus/whatever mail, and the recipient domain
      Message 2 of 6 , Jul 2, 2006
        Adhamh Findlay wrote:
        > Greetings,
        >
        > For lack of a better description it seems that I am being the victim of a
        > spam dictionary attack. Its not a DOS situation, but I am getting messages
        > to unknown users at a rate of at least once a minute. The messages are
        > coming from different servers, but there seems to be a set of servers
        > sending these emails out.
        >
        > For example if I grep my mail log file "marcell", I find one message a day
        > to some user that has the "marcell" string in the user name. If I then grep
        > the log file for one of the IP addresses that sent such a message I get any
        > where from 1 to 736 hits, so sometimes the same machine is doing this but
        > not always.
        >
        >
        As sandy said, this is more probably a joe job attack. addresses from
        your domains are used as sender in spam/virus/whatever mail, and the
        recipient domain is misconfigured, and does backscatter. There are
        unfortunately many broken sites.

        what you can do is add a trap address and make some or all of these
        "unknown" addresses virtual aliases for this trap. Then look at the mail
        to see if it is really backscatter. If so, report them to spamcops.
        depending on the situation, you may also complain to the abuse contact
        and to whois contacts of the misconfigured clients.
      • Adhamh Findlay
        ... I tired to do this with luser_relay, but I didn t get any of these messages delivered to the relay account. Did you have a different setup in mind? Is
        Message 3 of 6 , Jul 2, 2006
          On Sun, 02 Jul 2006 14:06:26 +0200, mouss <usebsd@...> wrote:
          >>
          >>
          > As sandy said, this is more probably a joe job attack. addresses from
          > your domains are used as sender in spam/virus/whatever mail, and the
          > recipient domain is misconfigured, and does backscatter. There are
          > unfortunately many broken sites.
          >
          > what you can do is add a trap address and make some or all of these
          > "unknown" addresses virtual aliases for this trap. Then look at the mail
          > to see if it is really backscatter. If so, report them to spamcops.
          > depending on the situation, you may also complain to the abuse contact
          > and to whois contacts of the misconfigured clients.

          I tired to do this with luser_relay, but I didn't get any of these messages delivered to the relay account. Did you have a different setup in mind?

          Is there anything besides my SPF record I can do to help prevent this joe job attach leading to my domain getting blacklisted?

          Thanks,

          Adhamh
        • Sandy Drobic
          ... Just have a look at the pattern of these spam mails and use a regexp alias in virtual to rewrite such a pattern to a spamtrap address. For example, I get a
          Message 4 of 6 , Jul 2, 2006
            Adhamh Findlay wrote:
            > On Sun, 02 Jul 2006 14:06:26 +0200, mouss <usebsd@...> wrote:
            >>>
            >> As sandy said, this is more probably a joe job attack. addresses from
            >> your domains are used as sender in spam/virus/whatever mail, and the
            >> recipient domain is misconfigured, and does backscatter. There are
            >> unfortunately many broken sites.
            >>
            >> what you can do is add a trap address and make some or all of these
            >> "unknown" addresses virtual aliases for this trap. Then look at the
            >> mail to see if it is really backscatter. If so, report them to
            >> spamcops. depending on the situation, you may also complain to the
            >> abuse contact and to whois contacts of the misconfigured clients.
            >
            > I tired to do this with luser_relay, but I didn't get any of these
            > messages delivered to the relay account. Did you have a different
            > setup in mind?

            Just have a look at the pattern of these spam mails and use a regexp alias
            in virtual to rewrite such a pattern to a spamtrap address. For example, I
            get a lot of attempts like this one:

            44843d68.3030608@...

            In that case you can just add a fitting expression to rewrite such an
            address to a spamtrap address.

            /etc/postfix/main.cf:
            virtual_alias_maps =
            hash:/etc/postfix/virtual,
            pcre:/etc/postfix/virtual.pcre

            /etc/postfix/virtual.pcre:
            /^[0-9a-e]+\.[0-9a-e]+@.../ spamtrap@...

            That is a pattern not used in any real addresses, so I would only catch
            spam with such a pattern. Of course, I would have to add
            "spamtrap@examplecom" to the list of valid addresses and have a mailbox
            for the address.

            > Is there anything besides my SPF record I can do to help prevent this
            > joe job attach leading to my domain getting blacklisted?

            I don't think it would help. If an admin is careless enough to have a
            backscatter server, then he won't implement spf checks either. :-(

            Your domain won't be blacklisted just because it is abused as a sender
            adress by a spammer. Only some desperate admins of small sites would do that.

            Sandy
          • mouss
            ... reread my post. watch the virtual aliases thing. PS. This is my last response to you since your server blocks me... Let s keep balkanizing the internet
            Message 5 of 6 , Jul 2, 2006
              Adhamh Findlay wrote:
              > On Sun, 02 Jul 2006 14:06:26 +0200, mouss <usebsd@...> wrote:
              >
              >>>
              >> As sandy said, this is more probably a joe job attack. addresses from
              >> your domains are used as sender in spam/virus/whatever mail, and the
              >> recipient domain is misconfigured, and does backscatter. There are
              >> unfortunately many broken sites.
              >>
              >> what you can do is add a trap address and make some or all of these
              >> "unknown" addresses virtual aliases for this trap. Then look at the mail
              >> to see if it is really backscatter. If so, report them to spamcops.
              >> depending on the situation, you may also complain to the abuse contact
              >> and to whois contacts of the misconfigured clients.
              >>
              >
              > I tired to do this with luser_relay, but I didn't get any of these messages delivered to the relay account. Did you have a different setup in mind?
              >

              reread my post. watch the "virtual aliases" thing.

              PS. This is my last response to you since your server blocks me... Let's
              keep balkanizing the internet :-{
              Anyway, if you don't get mail from me, be that directly or via the list,
              you'll know why.

              > Is there anything besides my SPF record I can do to help prevent this joe job attach leading to my domain getting blacklisted?
              >
              >
              Unfortunately, there's not much you can do, except reporting these
              servers and/or complaining to their whois contacts. And of course,
              spread the word: let people know they _must_ implement recipient
              validation correctly, and they should never bounce after accepting, be
              that for broken recipient validation or for spam/virus filtering.

              There is a running thread on this list. look for recent messages with a
              subject of: "Re: virtual_alias_maps: rewriting outbound" and you'll see
              what I mean ;-p
            Your message has been successfully submitted and would be delivered to recipients shortly.