Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Thousands upon thousands of "User unknown", over 8 months now.

0 views
Skip to first unread message

David A. Desrosiers

unread,
Feb 14, 2004, 9:34:18 AM2/14/04
to

I've read the previous posts on the matter here, and I have implemented
confBAD_RCPT_THROTTLE as per the docs, but the onslaught still continues.

Incidentally, BAD_RCPT_THROTTLE could do well to have a sliding
increment, so that repeated attempts are progressively delayed more and
more and more. This means they start at 1-second delays, then after 10 of
those 1-second delays, it goes to 2-second delays, and so on. This would
be much more useful than a static 1-second delay overall.. but that's a
different matter.

My problem has been going on for about 8-9 months now, where my server,
hosting several dozen domains, is getting repeated attempts at thousands
of usernames (NOT a dictionary attack) at each domain I host, randomly,
per day. It happens all day, every day, nonstop. The hosts trying to send
the mail to 'f...@mydomain.com' for example, are all valid hosts on the
outside (dig +trace -x 1.2.3.4 for each host shows them to be coming from
MXs deep inside ibm.com, dell.com, and hundreds of other valid hosts).

This would lead me to believe that these are just bounces, based on
forged "From:" lines in the original message. If that were true, I would
expect to see them go away after 5 days of trying to send. It's been
roughly 9 months now, and they still haven't stopped or slowed down at all.

The other thing I noticed, is that the usernames that these hosts are
trying to send to, are "real" usernames on the web in other places, and
from other mailing lists and websites I know I'm on (Perlmonks, Advogato,
etc.), just not real usernames on the domains I host. It appears to be
someone grabbing these usernames from dozens of other places, appending my
domains onto them, and sending them to me... I think.

What can be done to stop this behavior? Here's one example of the
output I see every day:

http://code.gnu-designs.com/User.unknown

Any suggestions?


Andy

unread,
Feb 14, 2004, 10:02:20 AM2/14/04
to
> This would lead me to believe that these are just bounces, based on
> forged "From:" lines in the original message. If that were true, I would
> expect to see them go away after 5 days of trying to send. It's been
> roughly 9 months now, and they still haven't stopped or slowed down at
all.
>
> The other thing I noticed, is that the usernames that these hosts are
> trying to send to, are "real" usernames on the web in other places, and
> from other mailing lists and websites I know I'm on (Perlmonks, Advogato,
> etc.), just not real usernames on the domains I host. It appears to be
> someone grabbing these usernames from dozens of other places, appending my
> domains onto them, and sending them to me... I think.
>
> What can be done to stop this behavior? Here's one example of the
> output I see every day:
>
> http://code.gnu-designs.com/User.unknown
>
> Any suggestions?
>


Welcome to my world. I have come to live with it :-(

Bfons


D. Stussy

unread,
Feb 16, 2004, 2:51:04 AM2/16/04
to
On Sat, 14 Feb 2004, David A. Desrosiers wrote:
> I've read the previous posts on the matter here, and I have implemented
> confBAD_RCPT_THROTTLE as per the docs, but the onslaught still continues.
>
> Incidentally, BAD_RCPT_THROTTLE could do well to have a sliding
> increment, so that repeated attempts are progressively delayed more and
> more and more. This means they start at 1-second delays, then after 10 of
> those 1-second delays, it goes to 2-second delays, and so on. This would
> be much more useful than a static 1-second delay overall.. but that's a
> different matter.

That has been suggested before :-)

> My problem has been going on for about 8-9 months now, where my server,
> hosting several dozen domains, is getting repeated attempts at thousands
> of usernames (NOT a dictionary attack) at each domain I host, randomly,
> per day. It happens all day, every day, nonstop. The hosts trying to send
> the mail to 'f...@mydomain.com' for example, are all valid hosts on the
> outside (dig +trace -x 1.2.3.4 for each host shows them to be coming from
> MXs deep inside ibm.com, dell.com, and hundreds of other valid hosts).
>
> This would lead me to believe that these are just bounces, based on
> forged "From:" lines in the original message. If that were true, I would
> expect to see them go away after 5 days of trying to send. It's been
> roughly 9 months now, and they still haven't stopped or slowed down at all.
>
> The other thing I noticed, is that the usernames that these hosts are
> trying to send to, are "real" usernames on the web in other places, and
> from other mailing lists and websites I know I'm on (Perlmonks, Advogato,
> etc.), just not real usernames on the domains I host. It appears to be
> someone grabbing these usernames from dozens of other places, appending my
> domains onto them, and sending them to me... I think.
>
> What can be done to stop this behavior? Here's one example of the
> output I see every day:
>
> http://code.gnu-designs.com/User.unknown
>
> Any suggestions?

Ah! Another "petition signer" for the death-penalty for spammers movement!

[Sorry, no real-world suggestions.]

0 new messages