Is this normal - off topic

[Chris Stenton <ja...@gnome.co.uk>]

I have been looking at my mail logs and wonder if this is now the norm

 Mail stats for last 24 hours

3020 Total mail messages
2143 reject "unknown user"
206 reject RBL
39 reject Virus
158 SPAM messages caught by SA 3.0
474 genuine mail messages

The number of "unknown user"  rejects has grown really fast over the last 4 
weeks. I am not sure what the spammers motives are as the success rate must 
be near zero?

Chris

Re: Is this normal - off topic

[Matt Kettler <mk...@comcast.net>]

At 03:07 AM 9/15/2004 -0700, Jeff Chan wrote:
>Sounds like your server is being "dictionary attacked", i.e.
>bad guys are looking for valid mail addresses by trying many
>different common ones.  In other words they try many and the ones
>that don't result in the "unknown user" response, they add to
>their spam lists.
>
>Unfortunately this is a standard spammer operation.

It's also standard procedure for several mail viruses including much of the 
MyDoom family to generate additional addresses by mixing and matching 
username and domain parts it finds. Thus, it's also very common to get a 
spike in "unknown user" messages when a new virus breaks out. 

Re: Is this normal - off topic

[Jeff Chan <je...@surbl.org>]

On Wednesday, September 15, 2004, 3:07:03 AM, Jeff Chan wrote:
> If you can spot what IP address they are coming in from,
> perhaps you can block it at a networking layer.

You can also block some of these at the MTA layer by
using RBLs listing compromised addresses, etc.

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/

Re: Is this normal - off topic

[Jeff Chan <je...@surbl.org>]

On Wednesday, September 15, 2004, 3:01:32 AM, Chris Stenton wrote:
> I have been looking at my mail logs and wonder if this is now the norm

>  Mail stats for last 24 hours

> 3020 Total mail messages
> 2143 reject "unknown user"
> 206 reject RBL
> 39 reject Virus
> 158 SPAM messages caught by SA 3.0
> 474 genuine mail messages

> The number of "unknown user"  rejects has grown really fast over the last 4 
> weeks. I am not sure what the spammers motives are as the success rate must 
> be near zero?

> Chris

Sounds like your server is being "dictionary attacked", i.e.
bad guys are looking for valid mail addresses by trying many
different common ones.  In other words they try many and the ones
that don't result in the "unknown user" response, they add to
their spam lists.

Unfortunately this is a standard spammer operation.

If you can spot what IP address they are coming in from,
perhaps you can block it at a networking layer.

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/

Re: Is this normal - off topic

[Duncan Hill <sa...@nacnud.force9.co.uk>]

On Wednesday 15 September 2004 11:01, Chris Stenton might have typed:
> I have been looking at my mail logs and wonder if this is now the norm
>
>  Mail stats for last 24 hours
>
> 3020 Total mail messages
> 2143 reject "unknown user"
> 206 reject RBL
> 39 reject Virus
> 158 SPAM messages caught by SA 3.0
> 474 genuine mail messages
>
> The number of "unknown user"  rejects has grown really fast over the last 4
> weeks. I am not sure what the spammers motives are as the success rate must
> be near zero?

Doesn't cost them anything really if they're using a compromised system.  I've 
got a few addresses that have been invalid for years, and they still bounce 
mail.  Well, they did until I turned them into spamtraps.

Re: Is this normal - off topic

[Marco van den Bovenkamp <ma...@linuxgoeroe.dhs.org>]

Chris Stenton wrote:

> The number of "unknown user"  rejects has grown really fast over the 
> last 4 weeks. I am not sure what the spammers motives are as the success 
> rate must be near zero?

May be backscatter from a joe job. Someone using random addresses in 
your domain as 'From:'-addresses in their spamrun, and what you see are 
the bounces.

I'm getting a lot of that as well on a small mailserver I admin.

-- 

		Regards,

			Marco.