Scott, Thanks for your quick reply. Sorry I wasn't clear. In the sniffer captures of traffic to/from the mail host, only the email with the invalid recipient appears. There are not 512 attempts to relay mail by the originator to itself.
I don't see "1+512" anywhere. I poorly attempted to explain that the log reflects one ERR "invalid user" for the original recipient, followed by 512 ERR entries showing the sender as both sender and recipient. Yes, I did substitute strings for the IP addresses and original host names; but I didn't think it was relevant to the problem. This process of writing 512 unexpected errors to the log file happens regardless of sender and for any invalid user. Thanks for your notes on the log extract. That's what I had understood the entries to mean. It's just that the log entries subsequent to the first ERR are not caused by additional SMTP (or other) traffic to my mail host. Thanks again, Jack At 03:47 PM 3/6/2002, you wrote: >>Each time IMail receives a message for an invalid user, something spawns >>a process that results in 512 "invalid user" error messages in which the >>original sender is both sender and recipient. The error message expected >>as a result of the original "invalid" recipient is written also. It's >>always 1+512. If there are three invalid recipients on a multiple >>addressee message, then it's 3+1536, etc. The condition exists despite >>stopping/starting services, reboots, etc. > >Where are you seeing the "1+512" and "3+1536"? > >>I'm experiencing about 10K multi-line errors per hour. > >That sounds like a "dictionary attack", where someone is trying to send to >thousands of non-existent users on your server. You should try blocking >their IP address using the SMTP Security settings. > >>03:03 00:00 SMTPD(B7C10124) [168.16.xxx.xx] connect 168.16.xxx.xx port 2234 > >This shows that someone from 168.16.xxx.xx is connecting to your >mailserver. That's the "evil" IP address (the one in the "connect >168.16.xxx.xx", not the first one, which is your IP). > >>03:03 00:00 SMTPD(B7C10124) [168.16.xxx.xx] HELO mail... > >This just means that they are claiming to be a host "mail..." (which I'm >guessing is really information you put in to help hide the spammer's identity). > >>03:03 00:00 SMTPD(B7C10124) [168.16.xxx.xx] mail >>from:<[EMAIL PROTECTED]> > >This means that they are sending you mail from the address shown above. > >>03:03 00:00 SMTPD(B7C10124) [168.16.xxx.xx] RCPT TO:<[EMAIL PROTECTED]> > >To an address on your server that doesn't exist. > >>03:03 00:00 SMTPD(B7C10124) [168.16.xxx.xx] ERR mail... invalid user >><[EMAIL PROTECTED] > >And IMail says that it doesn't exist. > >>03:03 00:00 SMTPD(93F000F2) [168.16.xxx.xx] connect 168.16.xxx.xx port 2235 >>03:03 00:00 SMTPD(93F000F2) [168.16.xxx.xx] HELO mail... >>03:03 00:00 SMTPD(93F000F2) [168.16.xxx.xx] mail >>from:<[EMAIL PROTECTED]> >>03:03 00:00 SMTPD(93F000F2) [168.16.xxx.xx] RCPT >>TO:<[EMAIL PROTECTED]> >>03:03 00:00 SMTPD(93F000F2) [168.16.xxx.xx] ERR mail... invalid user >><[EMAIL PROTECTED] >>03:03 00:00 SMTPD(B7C20124) [168.16.xxx.xx] connect 168.16.xxx.xx port 2236 >>03:03 00:00 SMTPD(B7C20124) [168.16.xxx.xx] HELO mail... >>03:03 00:00 SMTPD(B7C20124) [168.16.xxx.xx] mail >>from:<[EMAIL PROTECTED]> >>03:03 00:00 SMTPD(B7C20124) [168.16.xxx.xx] RCPT >>TO:<[EMAIL PROTECTED]> >>03:03 00:00 SMTPD(B7C20124) [168.16.xxx.xx] ERR mail... invalid user >><[EMAIL PROTECTED] > >And this just shows that they are doing this a lot, which indicates either >a spammer or a serious mail problem on their end. > > -Scott >--- >Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for >IMail. http://www.declude.com > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > > >Please visit http://www.ipswitch.com/support/mailing-lists.html to be >removed from this list. > >An Archive of this list is available at: >http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
