On 13 Jun 2016, at 17:18, James B. Byrne wrote:
3. If there is nothing that involves Postfix then something like what you propose must be the case. Or someone has gone to some lengths to scan for these addresses using our domain name as a search term.
Or more likely: crawled the web indiscriminately, harvesting anything that matches the pattern of an email address. Don't take this personally, but there's really nothing special about your domain.
I don't get the same barrage of auth attempts, probably because I don't allow auth on port 25 and I have a fail2ban-like log monitor blocking traffic quite aggressively for auth failures on port 587, PREGREET violations in postscreen, and hits on my website that target various known vulnerabilities. I hover around 2500 firewall entries but that's less of a burden than letting all those bots talk nonsense to userspace servers.
I DO get an unending stream of spammers targeting "addresses" in my personal domain that are actually email and Usenet message-ids from a 15-year span during which my mail and news clients used date-based MIDs. They also hit addresses embedded in HTML tags and comments on pages of my website that get essentially no hits other than crawler bots, with new addresses getting hit reliably within a few months. An address I used only for reporting 2 FreeBSD bugs gets targeted. The address I use for this list is my oldest functional address with any form of public exposure that doesn't get spam aimed at it many times per month: almost 9 years old.
On the systems I run for paying customers the situation is less bad, but only because so few of the users have any public exposure of their addresses. Most of them never get any spam aimed at them. I can't use the same degree of IP blocking on those systems as I do on my own and the pattern is clear: the same set of users who get spam also get targeted by password-guessing bots.
