I've seem somthing similar, thoug it appeared to be comming from datacommarketing.com, when I blocked them, it didn't start up from anywhere else however. I wave seen one or two similar waves though, but when none found valid e-mail boxes, they just stoped. On Tue, 21 Jan 2003, Patrick Oonk wrote: > Hi, > > I get lots of probes for emailadresses at some of my mailservers. > It seems people are probing the MX-es of domains they get from > the registries, and then try a list of accounts, to see if they exist, > so they can be spammed in the future. I probed some of the (now blocked) > offfending hosts, and a lot of them run open proxies, so I suspect they > are being used as an intermediate. It seems the probes are coordinated > in some way, as if I block one offender, a few moments later the probes > appear from another host. > > Sample maillog: > > Jan 16 04:49:06 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 <mjonesat_private>: User unknown; from=<johnat_private> to=<mjonesat_private> > Jan 16 04:49:21 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 <ccsat_private>: User unknown; from=<johnat_private> to=<ccsat_private> > Jan 16 04:49:37 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 <gerardat_private>: User unknown; from=<johnat_private> to=<gerardat_private> > Jan 16 04:49:54 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 <riveroat_private>: User unknown; from=<johnat_private> to=<riveroat_private> > Jan 16 04:50:12 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 <gloriaat_private>: User unknown; from=<johnat_private> to=<gloriaat_private> > Jan 16 04:50:31 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 <alisonat_private>: User unknown; from=<johnat_private> to=<alisonat_private> > Jan 16 04:50:51 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 <palmerat_private>: User unknown; from=<johnat_private> to=<palmerat_private> > Jan 16 04:51:12 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 <princeat_private>: User unknown; from=<johnat_private> to=<princeat_private> > Jan 16 04:51:34 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 <emeraldat_private>: User unknown; from=<johnat_private> to=<emeraldat_private> > Jan 16 04:51:57 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 <stephanieat_private>: User unknown; from=<johnat_private> to=<stephanieat_private> > Jan 16 04:52:21 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 <dwayneat_private>: User unknown; from=<johnat_private> to=<dwayneat_private> > Jan 16 04:52:46 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 <claudiaat_private>: User unknown; from=<johnat_private> to=<claudiaat_private> > Jan 16 04:53:12 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 <bennyat_private>: User unknown; from=<johnat_private> to=<bennyat_private> > Jan 16 04:53:39 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 <hutchat_private>: User unknown; from=<johnat_private> to=<hutchat_private> > > greets > > Patrick > > -- Frank Barton Starwolf.biz Systems Administrator ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Jan 25 2003 - 06:31:58 PST