[TriLUG] Strange mailserver flood
Brian Daniels
bitmage at pobox.com
Wed Apr 30 09:28:11 EDT 2008
I've been seeing an odd flood of messages on the mailserver at work.
A bunch of sites will suddenly start attempting to mail strange addresses
at our site. The addresses are in the format NameRandomwordName at oursite.com,
i.e.:
EugeniocapacitiveFranco at oursite.com
scottieextemporaneoushester at oursite.com
TraceydiehardHester at oursite.com
MajorwrongdoerStout at oursite.com
eugeniorasterbender at oursite.com
AbenoxiousSears at oursite.com
(where oursite is actually the company domain name)
I've seen 'dictionary attack' spams before that try likely names, but these look
designed to never match a real user.
Postfix refuses these messages with a 550 User unknown error, but the flood
starts overwhelming the kernel:
TCP: drop open request from 72.32.51.141/58895
TCP: drop open request from 202.213.208.116/42113
TCP: drop open request from 67.202.19.113/40907
TCP: drop open request from 66.206.162.132/13871
TCP: drop open request from 203.242.210.150/38603
TCP: drop open request from 217.65.225.246/35289
TCP: drop open request from 68.153.218.33/59643
TCP: drop open request from 67.19.39.158/58912
TCP: drop open request from 87.233.4.196/49388
TCP: drop open request from 63.93.44.69/58655
printk: 48 messages suppressed.
TCP: drop open request from 216.248.36.226/23645
printk: 62 messages suppressed.
TCP: drop open request from 213.83.66.209/57402
printk: 106 messages suppressed.
TCP: drop open request from 72.249.32.20/48600
printk: 118 messages suppressed.
And after an hour or so, the flood drops back to a steady drip of similarly
addressed messages.
Anyone else seeing these, or have any idea what they're trying to do?
--Brian
--
Be it thy course to busy giddy minds
With foreign quarrels; that action, hence borne out,
May waste the memory of the former days.
Henry IV, Part 2
Brian Daniels bitmage at pobox.com
http://www.eviloverlord.net
More information about the TriLUG
mailing list