January 23 from 10:45 to 13:59 (USA Pacific time: 8 hours before GMT), we
saw (after the fact, darn it) an address probe at work. A few thousand
messages from
ip-pa-jtown-24-158-241-042.charterpa.com ([24.158.241.42....
(which Arin says is assigned to Charter Communications is what appears to
be Johnstown (Jamestown?) PA, USA) [JNSTN-PA] (No connections with same
envelope sender/recipient pattern from elsewhere.)
Envelope sender computed from test address...seeming in a pattern like
okxxxx@???, where the variable number of x's are computed by
adjusting the address being probed. In the samples our support tech who
spotted this has seen, the adjustments were up or down one letter, but it's
more complex than that...I've sampled adjustments of just a little off from
half the alphabet, for two letter local parts.
As it happens, we had some extra logging turned on for another reason, and
we saw lots of log entries like:
SMTP protocol error in "mail from: okau@???" ... sender already given.
So they were trying to change senders in mid message...something like
ehlo...
mail from: ...
rcpt to: ...
mail from: ...
rcpt to: ...
....
data
.....
[Seems like a dumb way to probe.]
Since for the moment we have recipient verification turned off, I don't
think they learned much (which may be why they went away).
They did exercise our machine nicely (and the machine they were connecting
to had 3 times the failure rate of its companion machine for the day).
We'll probably block the address as a matter of reflex...it will likely
never be used again for such purposes, though. It doesn't seem likely to
want to send us real mail, either.
--John
--
John Baxter jwblist@??? Port Ludlow, WA, USA
