[IMail Forum] New Dictionary attack style? Or bug?

Thu, 24 Nov 2005 06:58:35 -0800


Hello, 
I just noticed an extremely large number of fake email recipients being thrown at my server. Over 300 hundred in the sample event posted below. I've done the Reg modification as referenced for only three invalid recipients. Also this Reg MaxInvalidRCPTs seems to be working but for the domain/instance below "Invalid User" seems to never have been returned from iMail. Is this a known bug or some local problem?

"MaxInvalidRCPTsPerSession"=dword:00000003

20051124 022430 127.0.0.1       SMTPD (94de016900002bcf) [192.168.1.184] connect 66.205.54.41 port 61053
20051124 022430 127.0.0.1       SMTPD (94de016900002bcf) [66.205.54.41] Helo yvfdoh.gov
20051124 022430 127.0.0.1       SMTPD (94de016900002bcf) [66.205.54.41] MAIL FROM: <[EMAIL PROTECTED]>
20051124 022430 127.0.0.1       SMTPD (94de016900002bcf) [66.205.54.41] RCPT TO: <[EMAIL PROTECTED]>
20051124 022430 127.0.0.1       SMTPD (94de016900002bcf) [x] looking up RefDomain.com in HOSTS
20051124 022430 127.0.0.1       SMTPD (94de016900002bcf) [66.205.54.41] RCPT TO: <[EMAIL PROTECTED]>
20051124 022430 127.0.0.1       SMTPD (94de016900002bcf) [x] looking up RefDomain.com in HOSTS
20051124 022431 127.0.0.1       SMTPD (94de016900002bcf) [66.205.54.41] RCPT TO: <[EMAIL PROTECTED]>
20051124 022431 127.0.0.1       SMTPD (94de016900002bcf) [x] looking up RefDomain.com in HOSTS
20051124 022431 127.0.0.1       SMTPD (94de016900002bcf) [66.205.54.41] RCPT TO: <[EMAIL PROTECTED]>
20051124 022431 127.0.0.1       SMTPD (94de016900002bcf) [x] looking up RefDomain.com in HOSTS

******   More examples of same email removed due to List size requirements    ******

20051124 022434 127.0.0.1       SMTPD (94de016900002bcf) [x] looking up RefDomain.com in HOSTS
20051124 022434 127.0.0.1       SMTPD (94de016900002bcf) [66.205.54.41] RCPT TO: <[EMAIL PROTECTED]>
20051124 022434 127.0.0.1       SMTPD (94de016900002bcf) [x] looking up RefDomain.com in HOSTS
20051124 022434 127.0.0.1       SMTPD (94de016900002bcf) [66.205.54.41] RCPT TO: <[EMAIL PROTECTED]>
20051124 022434 127.0.0.1       SMTPD (94de016900002bcf) [x] looking up RefDomain.com in HOSTS
20051124 022434 127.0.0.1       SMTPD (94de016900002bcf) [66.205.54.41] RCPT TO: <[EMAIL PROTECTED]>
20051124 022434 127.0.0.1       SMTPD (94de016900002bcf) [x] looking up RefDomain.com in HOSTS
20051124 022434 127.0.0.1       SMTPD (94de016900002bcf) [66.205.54.41] RCPT TO: <[EMAIL PROTECTED]>
20051124 022434 127.0.0.1       SMTPD (94de016900002bcf) [x] looking up RefDomain.com in HOSTS
20051124 022434 127.0.0.1       SMTPD (94de016900002bcf) [66.205.54.41] RCPT TO: <[EMAIL PROTECTED]>
20051124 022434 127.0.0.1       SMTPD (94de016900002bcf) [x] looking up RefDomain.com in HOSTS
20051124 022435 127.0.0.1       SMTPD (94de016900002bcf) [66.205.54.41] RCPT TO: <[EMAIL PROTECTED]>
20051124 022435 127.0.0.1       SMTPD (94de016900002bcf) [x] looking up RefDomain.com in HOSTS
20051124 022435 127.0.0.1       SMTPD (94de016900002bcf) [66.205.54.41] RSET
20051124 022435 127.0.0.1       SMTPD (94de016900002bcf) [66.205.54.41] RSET
20051124 022435 127.0.0.1       SMTPD (94de016900002bcf) [66.205.54.41] MAIL FROM: <[EMAIL PROTECTED]>
20051124 022435 127.0.0.1       SMTPD (94de016900002bcf) [66.205.54.41] RCPT TO: <[EMAIL PROTECTED]>
20051124 022435 127.0.0.1       SMTPD (94de016900002bcf) [x] looking up RefDomain.com in HOSTS
20051124 022435 127.0.0.1       SMTPD (94de016900002bcf) [66.205.54.41] RCPT TO: <[EMAIL PROTECTED]>
20051124 022435 127.0.0.1       SMTPD (94de016900002bcf) [x] looking up RefDomain.com in HOSTS
20051124 022435 127.0.0.1       SMTPD (94de016900002bcf) [66.205.54.41] RCPT TO: <[EMAIL PROTECTED]>
20051124 022435 127.0.0.1       SMTPD (94de016900002bcf) [x] looking up RefDomain.com in HOSTS
20051124 022435 127.0.0.1       SMTPD (94de016900002bcf) [66.205.54.41] RCPT TO: <[EMAIL PROTECTED]>
20051124 022435 127.0.0.1       SMTPD (94de016900002bcf) [x] looking up RefDomain.com in HOSTS
20051124 022435 127.0.0.1       SMTPD (94de016900002bcf) [66.205.54.41] RCPT TO: <[EMAIL PROTECTED]>
20051124 022435 127.0.0.1       SMTPD (94de016900002bcf) [x] looking up RefDomain.com in HOSTS
20051124 022436 127.0.0.1       SMTPD (94de016900002bcf) [66.205.54.41] RCPT TO: <[EMAIL PROTECTED]>

******   More examples of same email removed due to List size requirements    ******

20051124 022439 127.0.0.1       SMTPD (94de016900002bcf) [x] looking up RefDomain.com in HOSTS
20051124 022439 127.0.0.1       SMTPD (94de016900002bcf) [66.205.54.41] RCPT TO: <[EMAIL PROTECTED]>
20051124 022439 127.0.0.1       SMTPD (94de016900002bcf) [x] looking up RefDomain.com in HOSTS
20051124 022439 127.0.0.1       SMTPD (94de016900002bcf) [66.205.54.41] RCPT TO: <[EMAIL PROTECTED]>
20051124 022439 127.0.0.1       SMTPD (94de016900002bcf) [x] looking up RefDomain.com in HOSTS
20051124 022440 127.0.0.1       SMTPD (94de016900002bcf) [66.205.54.41] RCPT TO: <[EMAIL PROTECTED]>
20051124 022440 127.0.0.1       SMTPD (94de016900002bcf) [x] looking up RefDomain.com in HOSTS
20051124 022440 127.0.0.1       SMTPD (94de016900002bcf) [66.205.54.41] RCPT TO: <[EMAIL PROTECTED]>
20051124 022440 127.0.0.1       SMTPD (94de016900002bcf) [x] looking up RefDomain.com in HOSTS
20051124 022440 127.0.0.1       SMTPD (94de016900002bcf) [66.205.54.41] DATA
20051124 022442 127.0.0.1       SMTPD (0000000000000000) Process Spawned: "D:\IMail\SNDFAXUI.EXE" QUEUERUN "D:\IMail\spool"
20051124 022442 127.0.0.1       SMTPD (0000000000000000) Process Spawned: "D:\IMail\imailsrv" -q x
20051124 022442 127.0.0.1       SMTPD (94de016900002bcf) [66.205.54.41] D:\IMail\spool\D94de016900002bcf.SMD 77130
20051124 022442 127.0.0.1       SMTPD (94de016900002bcf) performing antispam checks
20051124 022442 127.0.0.1       SMTPD (94ea016900002bd0) [66.205.54.41] QUIT


20051124 022542 127.0.0.1       SMTPD (9526018700002bdb) [192.168.1.184] connect 59.144.252.165 port 1909
20051124 022543 127.0.0.1       SMTPD (9526018700002bdb) [59.144.252.165] HELO 72.3.197.184
20051124 022544 127.0.0.1       SMTPD (9526018700002bdb) [59.144.252.165] MAIL FROM: <[EMAIL PROTECTED]>
20051124 022545 127.0.0.1       SMTPD (9526018700002bdb) [59.144.252.165] RCPT TO: <[EMAIL PROTECTED]>
20051124 022545 127.0.0.1       SMTPD (9526018700002bdb) [x] looking up sgdesign.com in HOSTS
20051124 022545 127.0.0.1       SMTPD (9526018700002bdb) [59.144.252.165] ERR mail.sgdesign.com invalid user <[EMAIL PROTECTED]
20051124 022546 127.0.0.1       SMTPD (9526018700002bdb) [59.144.252.165] RCPT TO: <[EMAIL PROTECTED]>
20051124 022546 127.0.0.1       SMTPD (9526018700002bdb) [x] looking up sgdesign.com in HOSTS
20051124 022546 127.0.0.1       SMTPD (9526018700002bdb) [59.144.252.165] ERR mail.sgdesign.com invalid user <[EMAIL PROTECTED]
20051124 022547 127.0.0.1       SMTPD (9526018700002bdb) [59.144.252.165] RCPT TO: <[EMAIL PROTECTED]>
20051124 022547 127.0.0.1       SMTPD (9526018700002bdb) [x] looking up sgdesign.com in HOSTS
20051124 022547 127.0.0.1       SMTPD (9526018700002bdb) [59.144.252.165] ERR mail.sgdesign.com invalid user <[EMAIL PROTECTED]
20051124 022547 127.0.0.1       SMTPD (9526018700002bdb) [59.144.252.165] Max Invalid RCPTs Exceeded






Regards, 


Steve Guluk
SGDesign
(949) 661-9333
ICQ: 7230769





Reply via email to