High CPU load, RCPT TO:

Mike Kercher mike at CAMAROSS.NET
Wed Feb 2 00:51:15 GMT 2005 

Matt Kettler wrote:
> At 02:27 PM 2/1/2005, Dirk Enrique Seiffert wrote:
>> I get lots of them, no idea why it has to be me: Its a simple
>> mailserver for a small domain. We are relaying to maybe 1500 mails
>> per
>> day, not more. Since a few weeks these attacks started, I get them
>> every few minutes.
>
> It's no just you, it's *everybody*.
>
> Spammers and worms are doing a LOT of address guessing these days.
> Everyone on this list sees this kind of garbage hitting their servers
> every day. I do not know of any servers that are not being attacked
> with rumplestiltskin attacks.
>
> My server, with very similar mail profile, has been under a
> continuous barrage rumplestiltskin attacks since some time late in
> the day on July 8, 2004. I've never felt any pain from it, because I
> had BAD_RCPT_THROTTLE in place long before the attacks started.
>
> Even with BAD_RCPT_THROTTLE , MAX_RCPTS_PER_MSG, and
> CONNECTION_RATE_THROTTLE, I'm still getting thousands of User
> unknown's per day.
>
> The big difference here is that I'm seeing is that most of my rumples
> are coming from a wide variety of IPs and connections, instead of all
> from the same connection.. This limits the rate somewhat, but should
> they have tried the method they are hitting you with on my server,
> the throttle will kick in.
>

Another trend I notice in my logs is that forged spammer addresses are oddly
similar even though the attempts come from various IP's around the world.

For example:


Feb  1 16:23:37 avwall2 sendmail[24323]: j11MNL3Q024323:
from=<ernesto at mx.inter.net>, size=0, class=0, nrcpts=0, proto=ESMTP,
daemon=MTA, relay=c-66-176-253-242.se.client2.attbi.com [66.176.253.242]

Feb  1 16:24:39 avwall2 sendmail[24500]: j11MOTiT024500: Milter:
from=<ernest_kelly at hotmail.com>, reject=550 5.7.1 connection
"CPE0008a122b198-CM000a739bc416.cpe.net.cable.rogers.com" blocked

Feb  1 16:24:39 avwall2 sendmail[24500]: j11MOTiT024500:
from=<ernest_kelly at hotmail.com>, size=0, class=0, nrcpts=0, proto=ESMTP,
daemon=MTA, relay=CPE0008a122b198-CM000a739bc416.cpe.net.cable.rogers.com
[69.194.46.137]

Feb  1 16:25:13 avwall2 sendmail[24566]: j11MP0FN024566: Milter:
from=<ernest at elp.rr.com>, reject=550 5.7.1 connection "ACD6AC8E.ipt.aol.com"
blocked

Feb  1 16:25:14 avwall2 sendmail[24566]: j11MP0FN024566:
from=<ernest at elp.rr.com>, size=0, class=0, nrcpts=0, proto=ESMTP,
daemon=MTA, relay=ACD6AC8E.ipt.aol.com [172.214.172.142]

Feb  1 16:26:00 avwall2 sendmail[24732]: j11MPlfN024732:
from=<ernest777 at hotmail.com>, size=0, class=0, nrcpts=0, proto=ESMTP,
daemon=MTA, relay=pcp559187pcs.rthfrd01.tn.comcast.net [68.52.102.111]

Feb  1 16:26:42 avwall2 sendmail[24852]: j11MQTwf024852: Milter:
from=<ernesto.viramontes at unilever.com>, reject=550 5.7.1 connection
"12-215-96-255.client.mchsi.com" blocked

Feb  1 16:26:43 avwall2 sendmail[24852]: j11MQTwf024852:
from=<ernesto.viramontes at unilever.com>, size=0, class=0, nrcpts=0,
proto=ESMTP, daemon=MTA, relay=12-215-96-255.client.mchsi.com
[12.215.96.255]

Feb  1 16:28:17 avwall2 sendmail[25185]: j11MS5Sn025185: Milter:
from=<ernesto at swissonline.ch>, reject=550 5.7.1 sender blocked

Feb  1 16:28:17 avwall2 sendmail[25185]: j11MS5Sn025185:
from=<ernesto at swissonline.ch>, size=0, class=0, nrcpts=0, proto=ESMTP,
daemon=MTA, relay=CPE-203-51-239-203.qld.bigpond.net.au [203.51.239.203]

Feb  1 17:14:08 avwall2 milter-sender[1604]: 06355 j11NDv31001112: sender
<ernest at icongrp.com> (0) cached, skipping

Feb  1 17:14:08 avwall2 sendmail[1112]: j11NDv31001112:
from=<ernest at icongrp.com>, size=0, class=0, nrcpts=0, proto=ESMTP,
daemon=MTA, relay=muedsl-82-207-223-151.citykom.de [82.207.223.151]

Feb  1 17:16:52 avwall2 milter-sender[1604]: 06393 j11NGgMN001567: sender
<ernestinehennessee at hotmail.com> (0) cached, skipping

Feb  1 17:16:52 avwall2 sendmail[1567]: j11NGgMN001567:
from=<ernestinehennessee at hotmail.com>, size=0, class=0, nrcpts=0,
proto=ESMTP, daemon=MTA, relay=adsl-68-72-85-49.dsl.chcgil.ameritech.net
[68.72.85.49]

Feb  1 17:17:16 avwall2 sendmail[1596]: j11NH0dw001596:
from=<ernest_inbaraj at rediff.com>, size=0, class=0, nrcpts=0, proto=ESMTP,
daemon=MTA, relay=morristown-68-118-99-14.chartertn.net [68.118.99.14]

Feb  1 17:19:30 avwall2 sendmail[1894]: j11NJJtw001894:
from=<ernest27_a at yahoo.com>, size=0, class=0, nrcpts=0, proto=ESMTP,
daemon=MTA, relay=cs242231-3.houston.rr.com [24.242.231.3]

Feb  1 17:19:52 avwall2 sendmail[1975]: j11NJcwP001975:
from=<ernesteugene at hwzcorp.com>, size=0, class=0, nrcpts=0, proto=ESMTP,
daemon=MTA, relay=cpe-66-67-134-209.rochester.res.rr.com [66.67.134.209]

Feb  1 17:23:56 avwall2 sendmail[2650]: j11NNj7B002650: Milter:
from=<ernest at gci.net>, reject=550 5.7.1 connection
"c-24-19-188-76.client.comcast.net" blocked

Feb  1 17:23:56 avwall2 sendmail[2650]: j11NNj7B002650:
from=<ernest at gci.net>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA,
relay=c-24-19-188-76.client.comcast.net [24.19.188.76]

Feb  1 17:24:57 avwall2 sendmail[2818]: j11NOlmr002818: Milter:
from=<ernesto.jr at bol.com.br>, reject=550 5.7.1 sender blocked

Feb  1 17:24:57 avwall2 sendmail[2818]: j11NOlmr002818:
from=<ernesto.jr at bol.com.br>, size=0, class=0, nrcpts=0, proto=ESMTP,
daemon=MTA, relay=cs7011422-167.satx.rr.com [70.114.22.167]

Feb  1 17:25:13 avwall2 sendmail[2880]: j11NP2Lf002880:
from=<ernest.collins at cox.com>, size=0, class=0, nrcpts=0, proto=ESMTP,
daemon=MTA, relay=rdu26-233-130.nc.rr.com [66.26.233.130]
Feb  1 17:25:51 avwall2 sendmail[3014]: j11NPZbi003014:
from=<ernestomaria at tiscalinet.it>, size=0, class=0, nrcpts=0, proto=ESMTP,
daemon=MTA, relay=adsl-67-37-236-140.dsl.chcgil.ameritech.net
[67.37.236.140]

Notice all the ernest*@ addresses?  I also utilize the greet_pause feature
of sendmail-8.13.x

Mike

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list