1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2017
    Rep Power

    intermittent attacks to same non-existing user name

    I run a mail server for a few associates using heavily patched qmail. Over the past few months, I have noticed
    what appear to be periodic attacks of some sort in which hundreds of different IP addresses attempt to send
    emails to the same non-existing user at a rapid but so far not overwhelming rate.

    So far these occur around once or twice per month and last a few hours each time. While the user names
    change between attacks, they have remained the same for the duration of each attack and are pretty clearly
    made up user names (e.g. dfdfdf@mydomain.com or vcvcvc@mydomain.com).

    I use the validrcptto qmail patch to reject such attempts near the start of the SMTP transaction, and to this
    point I haven't noticed any real ill effects of these attacks beyond an annoyingly large number of rejected
    email messages cluttering my log files. However, I am uncertain what could be the motive for these attacks
    so wondering if there could be some potential vulnerability I have missed as well as curious whether others
    have been seeing similar activity.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2015
    Rep Power
    What you describe is usually a bot trying to exploit your server. Since those attempts are rejected by your mail server you are relatively safe, but I would recommend that you also configure your firewall to reject those IP addresses.
    Find the source IP address in the logs and and block them in your firewall.

IMN logo majestic logo threadwatch logo seochat tools logo