The last few nights we've been getting attacked by someone that will send a message to random names@ourdomain.com to both our mail servers. Here's an example snip of the log.. this is repeated with each attack from different IP's about 10 times a night.
Dec 18 20:21:29 mail sendmail[4089]: gBJ1LS904089: <marketing@ourdomain.com>... User unknown
Dec 18 20:21:30 mail sendmail[4089]: gBJ1LS904089: <nick@ourdomain.com>... User unknown
Dec 18 20:21:31 mail sendmail[4089]: gBJ1LS904089: <don@ourdomain.com>... User unknown
Dec 18 20:21:31 mail sendmail[4089]: gBJ1LS904089: <andy@ourdomain.com>... User unknown
Dec 18 20:21:32 mail sendmail[4089]: gBJ1LS904089: <rich@ourdomain.com>... User unknown
Dec 18 20:21:33 mail sendmail[4089]: gBJ1LS904089: <sam@ourdomain.com>... User unknown
Dec 18 20:21:34 mail sendmail[4089]: gBJ1LS904089: <ron@ourdomain.com>... User unknown
Dec 18 20:21:35 mail sendmail[4089]: gBJ1LS904089: <james@ourdomain.com>... User unknown
Dec 18 20:21:36 mail sendmail[4089]: gBJ1LS904089: <doug@ourdomain.com>... User unknown
Dec 18 20:21:37 mail sendmail[4089]: gBJ1LS904089: <ken@ourdomain.com>... User unknown
Dec 18 20:21:37 mail sendmail[4089]: gBJ1LS904089: <randy@ourdomain.com>... User unknown
Dec 18 20:21:38 mail sendmail[4089]: gBJ1LS904089: <fred@ourdomain.com>... User unknown
Dec 18 20:21:40 mail sendmail[4089]: gBJ1LS904089: <phil@ourdomain.com>... User unknown
Dec 18 20:21:40 mail sendmail[4089]: gBJ1LS904089: <6aadL5769I33410d@ourdomain.com>... User unknown
Dec 18 20:21:41 mail sendmail[4089]: gBJ1LS904089: <alan@ourdomain.com>... User unknown
Dec 18 20:21:42 mail sendmail[4089]: gBJ1LS904089: <lee@ourdomain.com>... User unknown
Dec 18 20:21:43 mail sendmail[4089]: gBJ1LS904089: <contact@ourdomain.com>... User unknown
Dec 18 20:21:44 mail sendmail[4089]: gBJ1LS904089: <larry@ourdomain.com>... User unknown
Dec 18 20:21:44 mail sendmail[4089]: gBJ1LS904089: <pete@ourdomain.com>... User unknown
Dec 18 20:21:45 mail sendmail[4089]: gBJ1LS904089: <craig@ourdomain.com>... User unknown
Dec 18 20:21:46 mail sendmail[4089]: gBJ1LS904089: <matt@ourdomain.com>... User unknown
Dec 18 20:21:46 mail sendmail[4089]: gBJ1LS904089: <jack@ourdomain.com>... User unknown
Dec 18 20:21:47 mail sendmail[4089]: gBJ1LS904089: <chuck@ourdomain.com>... User unknown
Dec 18 20:21:48 mail sendmail[4089]: gBJ1LS904089: from=<rdkwate3@yahoo.com>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=80-24-153-96.uc.nombres.ttd.es [80.24.153.96]
Is there some way to, after x errors in a connection, to drop the connection.. or even better, if you have too many errors call an external program, ie a script that will add that IP to the firewall's blocked IP list.
And, just a suggestion to those who have 'catchall' addresses on their domains, you might want to rethink that since if I would've had one every one of these messages would've gone through to that address :|
Thanks,
Todd
Dec 18 20:21:29 mail sendmail[4089]: gBJ1LS904089: <marketing@ourdomain.com>... User unknown
Dec 18 20:21:30 mail sendmail[4089]: gBJ1LS904089: <nick@ourdomain.com>... User unknown
Dec 18 20:21:31 mail sendmail[4089]: gBJ1LS904089: <don@ourdomain.com>... User unknown
Dec 18 20:21:31 mail sendmail[4089]: gBJ1LS904089: <andy@ourdomain.com>... User unknown
Dec 18 20:21:32 mail sendmail[4089]: gBJ1LS904089: <rich@ourdomain.com>... User unknown
Dec 18 20:21:33 mail sendmail[4089]: gBJ1LS904089: <sam@ourdomain.com>... User unknown
Dec 18 20:21:34 mail sendmail[4089]: gBJ1LS904089: <ron@ourdomain.com>... User unknown
Dec 18 20:21:35 mail sendmail[4089]: gBJ1LS904089: <james@ourdomain.com>... User unknown
Dec 18 20:21:36 mail sendmail[4089]: gBJ1LS904089: <doug@ourdomain.com>... User unknown
Dec 18 20:21:37 mail sendmail[4089]: gBJ1LS904089: <ken@ourdomain.com>... User unknown
Dec 18 20:21:37 mail sendmail[4089]: gBJ1LS904089: <randy@ourdomain.com>... User unknown
Dec 18 20:21:38 mail sendmail[4089]: gBJ1LS904089: <fred@ourdomain.com>... User unknown
Dec 18 20:21:40 mail sendmail[4089]: gBJ1LS904089: <phil@ourdomain.com>... User unknown
Dec 18 20:21:40 mail sendmail[4089]: gBJ1LS904089: <6aadL5769I33410d@ourdomain.com>... User unknown
Dec 18 20:21:41 mail sendmail[4089]: gBJ1LS904089: <alan@ourdomain.com>... User unknown
Dec 18 20:21:42 mail sendmail[4089]: gBJ1LS904089: <lee@ourdomain.com>... User unknown
Dec 18 20:21:43 mail sendmail[4089]: gBJ1LS904089: <contact@ourdomain.com>... User unknown
Dec 18 20:21:44 mail sendmail[4089]: gBJ1LS904089: <larry@ourdomain.com>... User unknown
Dec 18 20:21:44 mail sendmail[4089]: gBJ1LS904089: <pete@ourdomain.com>... User unknown
Dec 18 20:21:45 mail sendmail[4089]: gBJ1LS904089: <craig@ourdomain.com>... User unknown
Dec 18 20:21:46 mail sendmail[4089]: gBJ1LS904089: <matt@ourdomain.com>... User unknown
Dec 18 20:21:46 mail sendmail[4089]: gBJ1LS904089: <jack@ourdomain.com>... User unknown
Dec 18 20:21:47 mail sendmail[4089]: gBJ1LS904089: <chuck@ourdomain.com>... User unknown
Dec 18 20:21:48 mail sendmail[4089]: gBJ1LS904089: from=<rdkwate3@yahoo.com>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=80-24-153-96.uc.nombres.ttd.es [80.24.153.96]
Is there some way to, after x errors in a connection, to drop the connection.. or even better, if you have too many errors call an external program, ie a script that will add that IP to the firewall's blocked IP list.
And, just a suggestion to those who have 'catchall' addresses on their domains, you might want to rethink that since if I would've had one every one of these messages would've gone through to that address :|
Thanks,
Todd