Loading ...
Sorry, an error occurred while loading the content.

Re: Is this an attack?

Expand Messages
  • Andreas Kasenides
    ... OK, I hear you, will be upgrading to 2.10 to start using postscreen and look into fixing the temporary failure (4xx) to permanent (5xx) to do away with
    Message 1 of 14 , Jun 20, 2013
    • 0 Attachment
      On 20-06-2013 19:48, Noel Jones wrote:
      > On 6/20/2013 5:49 AM, Andreas Kasenides wrote:
      >
      >> Apparently there has been some harvesting going on of mail addresses
      >> where everything that has a "@" is picked up. The question is: was
      >> this harvesting from our log files or our mail storage - a very
      >> serious
      >> possibility which would indicate a break in.
      >
      > The Message-ID is stored as part of the message. Spammers harvest
      > these from web forums, email archives, and other public sources.
      >
      >> My conclusion is that the harvester is blindly picking usernames and
      >> domains
      >> from wherever it can (possibly from compromised systems but also
      >> from
      >> clear text net traffic) and pairing them at random!!
      >
      > Almost certainly from harvesting publicly accessible web pages, not
      > from a system compromise.
      >
      > Yes, these are often paired at random. Botnet operators have little
      > incentive to validate their user lists since it requires about the
      > same effort to send a few thousand messages as to send 100M messages.
      >
      > This is more of a nuisance than an actual security issue. Assuming
      > your system properly rejects unknown recipients, it is unlikely to
      > cause any operational problems.
      >
      > You should look into why you're getting temporary lookup failures in
      > your log. While that probably isn't a security issue, it is likely
      > reducing your performance and may also encourage some servers to
      > retry delivery, which multiplies the number of connections you
      > receive.
      >
      >
      >
      > -- Noel Jones

      OK, I hear you, will be upgrading to 2.10 to start using postscreen and
      look into fixing the temporary failure (4xx) to permanent (5xx) to do
      away with repeated connections.

      thanks
      regards
      Andreas
    • /dev/rob0
      ... No, you don t seem to understand. (Or maybe you do, but the way you worded that is ambiguous.) The temporary lookup failures are a problem on your system.
      Message 2 of 14 , Jun 21, 2013
      • 0 Attachment
        On Fri, Jun 21, 2013 at 09:46:57AM +0300, Andreas Kasenides wrote:
        > On 20-06-2013 19:48, Noel Jones wrote:
        > >You should look into why you're getting temporary lookup
        > >failures in your log. While that probably isn't a security
        > >issue, it is likely reducing your performance and may also
        > >encourage some servers to retry delivery, which multiplies
        > >the number of connections you receive.
        >
        > OK, I hear you, will be upgrading to 2.10 to start using
        > postscreen and look into fixing the temporary failure (4xx)
        > to permanent (5xx) to do away with repeated connections.

        No, you don't seem to understand. (Or maybe you do, but the way you
        worded that is ambiguous.) The temporary lookup failures are a
        problem on your system. That fact was referred to several times in
        this thread, but it was never covered with diagnostic information.

        Find out which lookup fails, when, and why. postmap(1)'s -q option
        helps you test your lookups.
        --
        http://rob0.nodns4.us/ -- system administration and consulting
        Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
      Your message has been successfully submitted and would be delivered to recipients shortly.