Dictionary attack
Update January 10, 2006:
I didn’t want to believe it, but that domain is still receiving thousands of e-mails, even after I disabled catch all and reject unknown addresses. Either it’s a dictionary attack still going strong, or the spammers think they found legitimate addresses. Looks like the latter, because I find the same addresses in just about every stats report going back to December 17!!!
—————
My current job involves taking care of three mailservers. I inherited some. I’m happy to say two of those are gone, and the third will be OK once I’ve made some modifications. My two new ones are running open source all the way. With that comes really good logs (the old ones had atrocious logs).
Anyway, one of the domains on our servers is currently under a dictionary attack. This has been going on before, during and after the migration. The oldest dated message I’ve seen is from December 15, and it’s still going on. This is for a domain that has 6 human users, a few forwarders and company accounts.
With the earlier servers, it was catch all on the two front machines, and then bounce for non-existent users on the mailbox servers. Now, since the new servers, I reject mail for non-existing users for most of the domains we serve. That means my server doesn’t waste resources on a message past giving the sending server a 550. No spam or virus checking on thousands of rejected messages, means my server runs much lighter.
I thought I’d give you the benefit of my curiosity, and give you my research on this particular spam run.
Basically, I hardly see the same IP number twice. And I have a hard time finding any of them on blocklists.
Allthough this is a dictionary attack, I doubt the spammers are using their own e-mail addresses to look for bounces. I think those belong to innocent third parties. Probably domains configured with catch all, and non-existing users.
Each and every mail i looked at (which was a small cross section) was different. Many looked very similar. But the links in each were different.
Each domain pinged the same IP number:
221.7.209.69
See Spamhaus records:
SBL35655 (same MO as my spammer, judging from the sample e-mail)
SBL35677
And had the same dns servers:
ns0.morreser.com (NMC102-BMN-HST)
ns0.orredecte.com (NOC40-BMN-HST)
And get this, the sites were all operational!
Whois info was different for virtually all domains. I have no doubt they’re fake. Registrars were different as well.
I have no idea what they plan to achieve by using a dictionary attack against a domain with that few users. It seems incredibly wasteful.
Read this account on Cotse, from a guy who’s been doing some thinking after having been subjected to dictionary attacks.