Author: Alan J. Flavell Date: To: Exim users list Subject: [Exim] Big increase in bounces addressed to non-existent addresses
On our departmental mailer, over recent months the numbers of bounces
(i.e F=<> in the log) directed to non-existent addresses in our
domains has been typically around 600 per week. Then, a couple of
weeks back we saw 1000 and then 1600 in a week, but last week we
clocked up over 7600 of them, and this week the count is _already_
over 5500 and still rising.
So, it's risen by more than an order of magnitude.
Looking at a few of them, they seem to be coming from bona fide MTAs,
rather than from IPs with dubious provenance at the usual blacklist
registers. Many different sites are involved.
Are other sites seeing this same effect? What could be the cause?
Immediate thoughts are -
1. spam or other unwanted matter being sent to these bona fide sites
with counterfeited sender addresses, and the sites are now trying to
bounce the spam;
2. spam or other unwanted matter being offered to these bona fide
sites, and they're trying "callbacks" to verify the counterfeited
sender addresses prior to acceptance; (but is "callback" so widely
used?)
3. some new trick for doing address-list washing or dictionary
scanning, involving innocent bona fide third-party MTAs(?)
Since we're rejecting these at RCPT time, I've no way of
distinguishing between different scenarios.
(I'm not sure if it's coincidence or not that this is happening around
the same time as Sobig/E. But surely Sobig/E is counterfeiting valid
addresses as its sender, rather than inventing non-existent ones?)
Any thoughts please - more to the point, any counter-measures?