Re: Is this an attack?
- On 20-06-2013 19:48, Noel Jones wrote:
> On 6/20/2013 5:49 AM, Andreas Kasenides wrote:OK, I hear you, will be upgrading to 2.10 to start using postscreen and
>> Apparently there has been some harvesting going on of mail addresses
>> where everything that has a "@" is picked up. The question is: was
>> this harvesting from our log files or our mail storage - a very
>> possibility which would indicate a break in.
> The Message-ID is stored as part of the message. Spammers harvest
> these from web forums, email archives, and other public sources.
>> My conclusion is that the harvester is blindly picking usernames and
>> from wherever it can (possibly from compromised systems but also
>> clear text net traffic) and pairing them at random!!
> Almost certainly from harvesting publicly accessible web pages, not
> from a system compromise.
> Yes, these are often paired at random. Botnet operators have little
> incentive to validate their user lists since it requires about the
> same effort to send a few thousand messages as to send 100M messages.
> This is more of a nuisance than an actual security issue. Assuming
> your system properly rejects unknown recipients, it is unlikely to
> cause any operational problems.
> You should look into why you're getting temporary lookup failures in
> your log. While that probably isn't a security issue, it is likely
> reducing your performance and may also encourage some servers to
> retry delivery, which multiplies the number of connections you
> -- Noel Jones
look into fixing the temporary failure (4xx) to permanent (5xx) to do
away with repeated connections.
- On Fri, Jun 21, 2013 at 09:46:57AM +0300, Andreas Kasenides wrote:
> On 20-06-2013 19:48, Noel Jones wrote:No, you don't seem to understand. (Or maybe you do, but the way you
> >You should look into why you're getting temporary lookup
> >failures in your log. While that probably isn't a security
> >issue, it is likely reducing your performance and may also
> >encourage some servers to retry delivery, which multiplies
> >the number of connections you receive.
> OK, I hear you, will be upgrading to 2.10 to start using
> postscreen and look into fixing the temporary failure (4xx)
> to permanent (5xx) to do away with repeated connections.
worded that is ambiguous.) The temporary lookup failures are a
problem on your system. That fact was referred to several times in
this thread, but it was never covered with diagnostic information.
Find out which lookup fails, when, and why. postmap(1)'s -q option
helps you test your lookups.
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: