Hi all, I've had a problem with similar symptoms on my mail server a couple of times. But after purposely receiving some of the messages through a catch-all account, I found out that someone was spamming using our e-mail domain name rather than trying to find an account. The caught messages were bounced spams. That's why they were each coming from unique IP addresses. The spammer was spamming using a handful of forged e-mail addresses. After seeing the bounced spams, we found that they were originating from a unique location and sent through a number of open relays. The source of the original spam was a European IP address. The problem stopped after about a week.
This happened a couple of times and what appeared to be common both times was that the forged e-mail address was from two of our four character domain names. Are you experiencing this problem with your 'i360.net' domain name? That domain name is also a four character domain name. Cheers, Richard At 09:40 AM 2002-06-13 -0500, you wrote: >Dicionary attack. They are trying to find an account to use. > >IP addresses are not in the same class c so it makes it hard to >block. > >Thanks >H. > > > >---------- Original Message ---------------------------------- >From: Len Conrad <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >Date: Thu, 13 Jun 2002 08:58:32 -0500 > >> >>>We are under a bruteforce dictionary attack. Has been going on >>>for the last 24 hours. >> >>dictionary attack or hijacking? they are only sending to your >domain? >> >>>They are pretty good since they change ip address for every >>>connection and only try 25 email addresses. >> >>they are using open relays, probably. So if you were subscribed >to RBL >>servers by an upstream box like IMGate which would block the >attack before >>it got to your mailbox server. >> >>>We are not using SMTP Authentication yet but it is the plans for >>>the next 2 weeks or so. >> >>SMTP AUTH doesn't stop mailbombs and harvesting aimed at your >domains. >> >>>Any idea on how to stop this. >> >>are in the ip's in the same Class C? block that /24 at your edge >router. >> >>Len >> >> >>www.menandmice.com/DNS-training : DNS Training >>BIND8NT.MEIway.com : ISC BIND for NT4 & W2K >>IMGate.MEIway.com : Build free, hi-perf, anti-abuse mail gateways >> >> >>Please visit http://www.ipswitch.com/support/mailing-lists.html >>to be removed from this list. >> >>An Archive of this list is available at: >>http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ >> >>Please visit the Knowledge Base for answers to frequently asked >>questions: http://www.ipswitch.com/support/IMail/ >> > Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Please visit the Knowledge Base for answers to frequently asked questions: http://www.ipswitch.com/support/IMail/
