It started this afternoon, a huge distributed dictionary spam attack. I’m seeing lots of computers trying to send email to random email addresses on my server:
postfix/smtpd[16754]: NOQUEUE: reject: RCPT from host[x.x.x.x]: 450 4.1.1 warchief2005@....com: Recipient address rejected
postfix/smtpd[16997]: NOQUEUE: reject: RCPT from host[x.x.x.x]: 450 4.1.1 Letitia-votera@....com: Recipient address rejected
postfix/smtpd[16754]: NOQUEUE: reject: RCPT from host[x.x.x.x]: 450 4.1.1 waterzon1995@....com: Recipient address rejected
All of these mails (50.000 of them, despite adaptive firewalling) go to the same domain, so it must be coordinated somewhere. I’m using fail2ban, which keeps my system relatively stress-free (load still smaller than 0.5). To give a sense of scale: on average, there’s around 60 hosts blocked by fail2ban. Bans last for 10 minutes, so that’s quite a lot of hosts targeting my server.
Anyone seen similar stuff happening?
At least properly reject them… stuff like:
unknown_local_recipient_reject_code = 550
unknown_address_reject_code = 550
unknown_client_reject_code = 550
These are most likely bounces for spam some botnet is sending with random@yourdomain return addresses. Thus the hosts you are banning are likely legitimate, but relatively unprotected mail servers.
“Attack” is probably not an accurate description. Its just a regular fare for botnets with huge lists of domains to crap over. Usually at random.
Oh, thanks for pointing out bkor! Turns out, I still had soft_bounce enabled from when I was testing my new spam setup a few weeks ago.
Yanko: That makes sense. The internet is such a pile of dirt :-)
This is a perfect example of why a greytrap (like OpenBSD’s spamd) is good to sit in front of your actual MTA.