At 04:18 27/10/2004, Pierre Thomson wrote:
One of our relays got 8500 name-guessing spams yesterday, up from an average of 2500 per day last week. So far today we have seen 6600, and the day isn't half over. If our MTA weren't checking recipients against our userlist, SA would be struggling to process these sudden "blasts" of spam.
The sending relays seem to be predominantly in Europe, and often make about a dozen tries in rapid succession. Here are the relays that sent name-guessing spams in a 2-minute period in the last hour:
I saw the same thing a few days ago too. We get dictionary attacks almost continuously but usually in quite low volume, as I have bad RCPT throttle in place on sendmail, however one afternoon a few days ago we had well over 200 seperate IP addresses (presumably zombied machines) doing dictionary scans on us SIMULTANEOUSLY. As far as I am concerned this is a DDoS attack.
So even though sendmail was rate limiting SMTP RCPT commands to one per second, because there were over 200 simultaneous connections, there were over 200 non-existant addresses being checked per second :(
I actually had to increase the maximum simultaneous incomming connection limit as the dictionary scanning attack was consuming all incomming slots, preventing legitimate incomming connections...
Regards, Simon
