Re: [cobalt-users] email attack?

[David Shugarts <Azimuth@xxxxxxxxxxxxxx>]

> 
>> At 10:35 AM 7/27/2003 -0400, you wrote:
>>> For the past few days we have seen a HUGE number of messages addressed to
> a
>>> couple of bogus names on one domain:
>>> lauren@xxxxxxxxxx
>>> geraldine@xxxxxxxxxx
>>> erin@xxxxxxxxxx
>>> Each message seems to originate from a different relay, and with each
>>> message a "No such user" is returned.  Is this part of a known exploit?
>>> Should I create an account in one of these names to see what's in the
>>> message?  Is there a better way to stop these since I can't use ipchains
> to
>>> deny the 1000s of different relays on which these are arriving?
>> 
>> I don't get huge numbers of those, but I do get some. Me being paranoid, I
>> have a catchall set up that routes these to /dev/null, so while it does
> use
>> bandwidth since whatever message they are sending gets accepted, it gets
>> deleted here, and the sender doesn't know for sure whether that user name
>> exists or not.
>> 
> 
> In this case, though it has been by the 1000s and only against these 3
> names...over and over from what appears to be a different origin relay with
> each attempt.  Trying to 'guess' a username I'd understand (as in Dan's
> reference to a dictionary attack), but to get a 'no such user' and to keep
> pounding on that same user is rather futile IMHO.  Since the sender doesn't
> seem to care that these won't go through, piping them to /dev/null seems to
> hurt me more than them, no?  I thought (hoped/dreaded) there might be a new
> attack of some sort (or a Trojan that gets directions) that utilizes these
> accounts on its host...
> 
> Paul
>

Although it is difficulat to know whether these are related, I want to
recommend checking cert.org when looking into attacks. This is the page for
the current set of "activity" items, including several that are e-mail
based.

--Dave Shugarts