Re: Mail Issue

From: Gary Maltzen (maltzenat_private)
Date: Tue Jul 31 2001 - 05:28:33 PDT

  • Next message: Aj Effin Reznor: "Re: Code Red and ISS Internet Scanner"

    I wonder if this is similar to a series of mail address scans I saw three months ago. The intent appeared not to be delivery of an actual message but (using RCPT TO) to harvest a list of valid e-mail addresses. Each "message" attempt would walk through a (dictionary?) list of names. As soon as I blocked one (dial-up) IP the scan re-appeared from another SP's block.
    
    -----Original Message----- 
    I sent this same information along with the detailed logs to Road Runner, but 
    I have yet to hear anything back.  In the last 24 hours, my mail server has 
    denyied over 52,000 messages from this address.  I have added deny lists to 
    the firewall, but it does not match the addresses listed here.  Does anyone 
    have any ideas of what is happening here?  Thanks in advance for any 
    assistance given.
    
    
    
    Jul 29 21:39:57 pop3 sendmail[31890]: f6U2duU31890: 
    from=<ellievowellat_private>, size=0, class=0, nrcpts=0, proto=SMTP, 
    daemon=MTA, relay=dt181nd1.tampabay.rr.com [24.92.209.209]
    Jul 29 21:39:59 pop3 sendmail[31900]: f6U2dwU31900: ruleset=check_rcpt, 
    arg1=<rstelzat_private>, relay=dt181nd1.tampabay.rr.com [24.92.209.209], 
    reject=550 5.7.1 <rstelzat_private>... Relaying denied
    Jul 29 21:39:59 pop3 sendmail[31900]: f6U2dwU31900: lost input channel from 
    dt181nd1.tampabay.rr.com [24.92.209.209] to MTA after rcpt
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 10:26:09 PDT