I wonder if this is similar to a series of mail address scans I saw three months ago. The intent appeared not to be delivery of an actual message but (using RCPT TO) to harvest a list of valid e-mail addresses. Each "message" attempt would walk through a (dictionary?) list of names. As soon as I blocked one (dial-up) IP the scan re-appeared from another SP's block. -----Original Message----- I sent this same information along with the detailed logs to Road Runner, but I have yet to hear anything back. In the last 24 hours, my mail server has denyied over 52,000 messages from this address. I have added deny lists to the firewall, but it does not match the addresses listed here. Does anyone have any ideas of what is happening here? Thanks in advance for any assistance given. Jul 29 21:39:57 pop3 sendmail[31890]: f6U2duU31890: from=<ellievowellat_private>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=dt181nd1.tampabay.rr.com [24.92.209.209] Jul 29 21:39:59 pop3 sendmail[31900]: f6U2dwU31900: ruleset=check_rcpt, arg1=<rstelzat_private>, relay=dt181nd1.tampabay.rr.com [24.92.209.209], reject=550 5.7.1 <rstelzat_private>... Relaying denied Jul 29 21:39:59 pop3 sendmail[31900]: f6U2dwU31900: lost input channel from dt181nd1.tampabay.rr.com [24.92.209.209] to MTA after rcpt ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 10:26:09 PDT