Strange email bombardment

We have a Linux (Slackware 8.1) email server running Sendmail.
Begining early this morning, emails have been comming in to all sorts
of different users that do not exist on the system. It looks like
somebody has a list of common names and is just sending crap out to
(some_name)@ourserver.edu. They seem to be originating from a few
different IP addresses. As soon as I have iptables filter out one
address, they start comming from another. They seem to be comming
once about every five minutes. Is this at all common? Should I be
worried about it, and is there something I can do to block these? I
am a bit new to email administration (if you can't tell).

-Jeff Ward

(E-Mail Removed) (Jeff Ward) wrote
news:(E-Mail Removed) om:
> We have a Linux (Slackware 8.1) email server running Sendmail.
> Begining early this morning, emails have been comming in to all sorts
> of different users that do not exist on the system. It looks like
> somebody has a list of common names and is just sending crap out to
> (some_name)@ourserver.edu.

Could you send few messages headers, please.

And more information on your mail server (domain name, daemon configuration
(aliases file, ...).

> They seem to be originating from a few
> different IP addresses. As soon as I have iptables filter out one
> address, they start comming from another. They seem to be comming
> once about every five minutes. Is this at all common? Should I be
> worried about it, and is there something I can do to block these? I
> am a bit new to email administration (if you can't tell).

You may setup a default email alias and send this to /dev/null.

Aliases are usally define in the /etc/aliases file, but I don't remember
how to setup a default alias with sendmail.


Regards

"Jeff Ward" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om

> We have a Linux (Slackware 8.1) email server running Sendmail.
> Begining early this morning, emails have been comming in to all sorts
> of different users that do not exist on the system. It looks like
> somebody has a list of common names and is just sending crap out to
> (some_name)@ourserver.edu. They seem to be originating from a few
> different IP addresses. As soon as I have iptables filter out one
> address, they start comming from another. They seem to be comming
> once about every five minutes. Is this at all common? Should I be
> worried about it, and is there something I can do to block these? I
> am a bit new to email administration (if you can't tell).

It's called a dictionary attack, searching for a valid address that is
allowed.

The default sendmail behaviour is to reject such unknown user emails. If
that is what is happening and you are merely seeing the log records
"dsn=5.1.1, stat=User unknown", then it's proof that things are working as
they should.

If you are accepting such emails and disposing of them using a mechanism
like "LUSER_RELAY", then you should probably re-assess your policy in such
matters if it is unacceptably consuming your bandwidth or otherwise
troubling your operation.


tony

--
use hotmail for any email replies



-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----

Your machine is probably being used as a relay for the current Microsoft `My
Doom' or `Novarg' virus. Check the root or base sender and see if there is a
common IP address. If you have any machines with a Window's OS, scan them...
always be aware of Microsoft make work projects, they have to keep their
certified paperboys employed.

"Jeff Ward" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> We have a Linux (Slackware 8.1) email server running Sendmail.
> Begining early this morning, emails have been comming in to all sorts
> of different users that do not exist on the system. It looks like
> somebody has a list of common names and is just sending crap out to
> (some_name)@ourserver.edu. They seem to be originating from a few
> different IP addresses. As soon as I have iptables filter out one
> address, they start comming from another. They seem to be comming
> once about every five minutes. Is this at all common? Should I be
> worried about it, and is there something I can do to block these? I
> am a bit new to email administration (if you can't tell).
>
> -Jeff Ward

(E-Mail Removed) (Jeff Ward) wrote in message news:<(E-Mail Removed). com>...
> We have a Linux (Slackware 8.1) email server running Sendmail.
> Begining early this morning, emails have been comming in to all sorts
> of different users that do not exist on the system. It looks like
> somebody has a list of common names and is just sending crap out to
> (some_name)@ourserver.edu. They seem to be originating from a few
> different IP addresses. As soon as I have iptables filter out one
> address, they start comming from another. They seem to be comming
> once about every five minutes. Is this at all common? Should I be
> worried about it, and is there something I can do to block these? I
> am a bit new to email administration (if you can't tell).
>
> -Jeff Ward

Well, I guess I should have done some more investigating before
posting. I got sendmail to re-route some of the messages so I could
read them. The messages all contain the MyDoom virus, so I suppose a
bunch of infected computers found my server somewhere. The usernames
that they are comming to are exactly the ones that the virus targets.

-Jeff Ward