huck
08-13-2001, 03:36 PM
Over the past few weeks, someone has been tyring to send email to user@mydomain.com. Where "user" is not nor has never been a user on the system, but mydomain.com is the correct domain.
There are at least 100-200 attempts on various days using different methods to send email through the server. Also, there are several (>40) originating IP addresses for the email.
Does anyone have any insight into this??? Could this simply be the server's view of an Email worm -- many people trying to send email to the same address, thus explaining the different originating IP addresses. Or does this smell more like probing to look for an open relay??? Insights appreciated.
On another note
Recently, we were also spammed by someone trying to send mail to over 100,000 people at our servers. They used common names, eg. james@domain.com, jake@domain.com, etc., to send emails. We do not allow common names as userids and only use firstname.lastname aliases, so nobody was spammed this way. However, accounts such as www and webmaster did receive email. The sender simply used some sort of name dictionary to send thousands of messages. The IPs of this attack and the one above do not match, though the times of attack are similar.
Once again, any guesses or insights appreciated.
Does anyone know of maillog security software??? Right now we are just trapping relay denied errors, but more details might be useful.
There are at least 100-200 attempts on various days using different methods to send email through the server. Also, there are several (>40) originating IP addresses for the email.
Does anyone have any insight into this??? Could this simply be the server's view of an Email worm -- many people trying to send email to the same address, thus explaining the different originating IP addresses. Or does this smell more like probing to look for an open relay??? Insights appreciated.
On another note
Recently, we were also spammed by someone trying to send mail to over 100,000 people at our servers. They used common names, eg. james@domain.com, jake@domain.com, etc., to send emails. We do not allow common names as userids and only use firstname.lastname aliases, so nobody was spammed this way. However, accounts such as www and webmaster did receive email. The sender simply used some sort of name dictionary to send thousands of messages. The IPs of this attack and the one above do not match, though the times of attack are similar.
Once again, any guesses or insights appreciated.
Does anyone know of maillog security software??? Right now we are just trapping relay denied errors, but more details might be useful.