Hosting Provided By

New spam-probing wave?

From: Patrick Oonk <patrick.oonk(at)pine.nl>
Date: Tue Jan 21 2003 - 10:08:02 EST

Hi,

I get lots of probes for emailadresses at some of my mailservers. It seems people are probing the MX-es of domains they get from the registries, and then try a list of accounts, to see if they exist, so they can be spammed in the future. I probed some of the (now blocked) offfending hosts, and a lot of them run open proxies, so I suspect they are being used as an intermediate. It seems the probes are coordinated in some way, as if I block one offender, a few moments later the probes appear from another host.

Sample maillog:

Jan 16 04:49:06 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 : User unknown; from= to=
Jan 16 04:49:21 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 : User unknown; from= to=
Jan 16 04:49:37 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 : User unknown; from= to=
Jan 16 04:49:54 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 : User unknown; from= to=
Jan 16 04:50:12 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 : User unknown; from= to=
Jan 16 04:50:31 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 : User unknown; from= to=
Jan 16 04:50:51 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 : User unknown; from= to=
Jan 16 04:51:12 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 : User unknown; from= to=
Jan 16 04:51:34 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 : User unknown; from= to=
Jan 16 04:51:57 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 : User unknown; from= to=
Do you need help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
Jan 16 04:52:21 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 : User unknown; from= to=
Jan 16 04:52:46 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 : User unknown; from= to=
Jan 16 04:53:12 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 : User unknown; from= to=
Jan 16 04:53:39 mailhost postfix/smtpd[7873]: reject: RCPT from unknown[216.237.60.60]: 550 : User unknown; from= to=

greets

Patrick

-- 
 Patrick Oonk    -   Pine Digital Security    -   patrick.oonk@pine.nl
 T:+31-70-3111010 - F:+31-70-3111011 - Read news at 
http://security.nl 
 PGPid A4E74BBF  fp A7CF 7611 E8C4 7B79 CA36  0BFD 2CB4 7283 A4E7 4BBF
 -+-+-+-+-+-+-+-+  One thing less to worry about... -+-+-+-+-+-+-+-+-+

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com

Received on Thu Jan 23 12:26:32 2003

This message: [ Message body ]
Next message: Crist J. Clark: "Re: Openbsd 3.2 wtmp delay and named backdoor"
Previous message: Jason Coombs: "RE: Hacked web server"
Next in thread: Pauling: "Re: New spam-probing wave?"
Reply: Pauling: "Re: New spam-probing wave?"
Reply: Jeff Kell: "Re: New spam-probing wave?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:56 EDT