[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] email attack?
- Subject: Re: [cobalt-users] email attack?
- From: "Paul Warner" <pwarner@xxxxxxxxxxxxxxxxxx>
- Date: Sun Jul 27 11:14:01 2003
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
> At 10:35 AM 7/27/2003 -0400, you wrote:
> >For the past few days we have seen a HUGE number of messages addressed to
a
> >couple of bogus names on one domain:
> >lauren@xxxxxxxxxx
> >geraldine@xxxxxxxxxx
> >erin@xxxxxxxxxx
> >Each message seems to originate from a different relay, and with each
> >message a "No such user" is returned. Is this part of a known exploit?
> >Should I create an account in one of these names to see what's in the
> >message? Is there a better way to stop these since I can't use ipchains
to
> >deny the 1000s of different relays on which these are arriving?
>
> I don't get huge numbers of those, but I do get some. Me being paranoid, I
> have a catchall set up that routes these to /dev/null, so while it does
use
> bandwidth since whatever message they are sending gets accepted, it gets
> deleted here, and the sender doesn't know for sure whether that user name
> exists or not.
>
In this case, though it has been by the 1000s and only against these 3
names...over and over from what appears to be a different origin relay with
each attempt. Trying to 'guess' a username I'd understand (as in Dan's
reference to a dictionary attack), but to get a 'no such user' and to keep
pounding on that same user is rather futile IMHO. Since the sender doesn't
seem to care that these won't go through, piping them to /dev/null seems to
hurt me more than them, no? I thought (hoped/dreaded) there might be a new
attack of some sort (or a Trojan that gets directions) that utilizes these
accounts on its host...
Paul