[TriLUG] Strange mailserver flood
cristobalpalmer at gmail.com
Wed Apr 30 09:38:38 EDT 2008
On Wed, Apr 30, 2008 at 9:28 AM, Brian Daniels <bitmage at pobox.com> wrote:
> <snip />
> I've seen 'dictionary attack' spams before that try likely names, but these look
> designed to never match a real user.
> <snip />
> And after an hour or so, the flood drops back to a steady drip of similarly
> addressed messages.
> Anyone else seeing these, or have any idea what they're trying to do?
They're trying to get you to send a DSN to whatever they've forged as
their HELO. Some poorly-written or poorly-configured MTAs will accept
the mail and then send a bounce rather than reject during the SMTP
transaction. They're trying to use you as a reflector.
If you settle on a good way to mitigate this attack, share it with the
list please. Perhaps someone else has a suggestion....
Cristóbal M. Palmer
http://tinyurl.com/3apraw "They also abandoned other volumes, later,
while fleeing from the librarians."
More information about the TriLUG