[TriLUG] Strange mailserver flood

Cristóbal Palmer cristobalpalmer at gmail.com
Wed Apr 30 09:38:38 EDT 2008


On Wed, Apr 30, 2008 at 9:28 AM, Brian Daniels <bitmage at pobox.com> wrote:
>
> <snip />
>  I've seen 'dictionary attack' spams before that try likely names, but these look
>  designed to never match a real user.
>
> <snip />
>  And after an hour or so, the flood drops back to a steady drip of similarly
>  addressed messages.
>
>  Anyone else seeing these, or have any idea what they're trying to do?
>

They're trying to get you to send a DSN to whatever they've forged as
their HELO. Some poorly-written or poorly-configured MTAs will accept
the mail and then send a bounce rather than reject during the SMTP
transaction. They're trying to use you as a reflector.

If you settle on a good way to mitigate this attack, share it with the
list please. Perhaps someone else has a suggestion....

Cheers,
-- 
Cristóbal M. Palmer
http://tinyurl.com/3apraw "They also abandoned other volumes, later,
while fleeing from the librarians."


More information about the TriLUG mailing list