Re: [cobalt-users] email getting hammered

[Charlie Clemmer <cclemmer@xxxxxxxxxxxxxxxxxx>]

At 12:28 PM 12/20/2002 -0600, you wrote:
> Help please.
>
> Here are a few lines from my logcheck report that is emailed hourly, this 
> is the exact text from my "maillog"

<snip>


> Every once in a while there is one that is listed as the last one 
> here.  It does not show up in the email, but it is in the maillog.  Each 
> one like this has a different from email address and each one has a 
> different relay.  Each time I get one of them, it all stops for a few 
> minutes and then starts up again.  Each time it is about 20 - 25 email 
> attempts.  None are valid users.  Can anyone help?  Is there any way to 
> stop this person?  This has been going on for over a day now.  I have seen 
> it in the past, but it stops after a few hours.  These are all just clips 
> of each listing.  Is there a different log to look in for more info.  I 
> tried the procmail log but it show the last email is not being delivered 
> either.

Personally, I always viewed these attempts as a script kiddie trying to 
determine valid user names on my machines, so they could come back later 
and try and brute force through a password check. To get around that, I 
have a catch all alias for each domain that forwards mail *somewhere* ... 
maybe not to me, maybe just to /dev/null, but somewhere so that someone 
outside my system can't use sendmail to reveal usernames on my system. Once 
they stop getting rejects, the attempts usually stop as well.