Hi, I get lots of probes for emailadresses at some of my mailservers. It seems people are probing the MX-es of domains they get from the registries, and then try a list of accounts, to see if they exist, so they can be spammed in the future. I probed some of the (now blocked) offfending hosts, and a lot of them run open proxies, so I suspect they are being used as an intermediate. It seems the probes are coordinated in some way, as if I block one offender, a few moments later the probes appear from another host. Sample maillog: Jan 16 04:49:06 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 <mjonesat_private>: User unknown; from=<johnat_private> to=<mjonesat_private> Jan 16 04:49:21 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 <ccsat_private>: User unknown; from=<johnat_private> to=<ccsat_private> Jan 16 04:49:37 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 <gerardat_private>: User unknown; from=<johnat_private> to=<gerardat_private> Jan 16 04:49:54 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 <riveroat_private>: User unknown; from=<johnat_private> to=<riveroat_private> Jan 16 04:50:12 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 <gloriaat_private>: User unknown; from=<johnat_private> to=<gloriaat_private> Jan 16 04:50:31 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 <alisonat_private>: User unknown; from=<johnat_private> to=<alisonat_private> Jan 16 04:50:51 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 <palmerat_private>: User unknown; from=<johnat_private> to=<palmerat_private> Jan 16 04:51:12 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 <princeat_private>: User unknown; from=<johnat_private> to=<princeat_private> Jan 16 04:51:34 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 <emeraldat_private>: User unknown; from=<johnat_private> to=<emeraldat_private> Jan 16 04:51:57 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 <stephanieat_private>: User unknown; from=<johnat_private> to=<stephanieat_private> Jan 16 04:52:21 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 <dwayneat_private>: User unknown; from=<johnat_private> to=<dwayneat_private> Jan 16 04:52:46 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 <claudiaat_private>: User unknown; from=<johnat_private> to=<claudiaat_private> Jan 16 04:53:12 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 <bennyat_private>: User unknown; from=<johnat_private> to=<bennyat_private> Jan 16 04:53:39 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 <hutchat_private>: User unknown; from=<johnat_private> to=<hutchat_private> greets Patrick -- Patrick Oonk - Pine Digital Security - patrick.oonkat_private T:+31-70-3111010 - F:+31-70-3111011 - Read news at http://security.nl PGPid A4E74BBF fp A7CF 7611 E8C4 7B79 CA36 0BFD 2CB4 7283 A4E7 4BBF -+-+-+-+-+-+-+-+ One thing less to worry about... -+-+-+-+-+-+-+-+-+ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 09:08:10 PST