February 9th, 2017, 03:29 PM
intermittent attacks to same non-existing user name
I run a mail server for a few associates using heavily patched qmail. Over the past few months, I have noticed
what appear to be periodic attacks of some sort in which hundreds of different IP addresses attempt to send
emails to the same non-existing user at a rapid but so far not overwhelming rate.
So far these occur around once or twice per month and last a few hours each time. While the user names
change between attacks, they have remained the same for the duration of each attack and are pretty clearly
made up user names (e.g. firstname.lastname@example.org or email@example.com).
I use the validrcptto qmail patch to reject such attempts near the start of the SMTP transaction, and to this
point I haven't noticed any real ill effects of these attacks beyond an annoyingly large number of rejected
email messages cluttering my log files. However, I am uncertain what could be the motive for these attacks
so wondering if there could be some potential vulnerability I have missed as well as curious whether others
have been seeing similar activity.
February 26th, 2017, 09:23 AM
What you describe is usually a bot trying to exploit your server. Since those attempts are rejected by your mail server you are relatively safe, but I would recommend that you also configure your firewall to reject those IP addresses.
Find the source IP address in the logs and and block them in your firewall.