Autor: Alan J. Flavell Data: A: Exim users list Assumpte: [Exim] Re: Big increase in bounces addressed to non-existent addresses
On Tue, 1 Jul 2003, I previously wrote:
> On our departmental mailer, over recent months the numbers of bounces
> (i.e F=<> in the log) directed to non-existent addresses in our
> domains has been typically around 600 per week. Then, a couple of
> weeks back we saw 1000 and then 1600 in a week, but last week we
> clocked up over 7600 of them, and this week the count is _already_
> over 5500 and still rising.
Well, by the end of last week, the counter had reached almost 12,000,
which is quite a growth from a normal baseline week of around 600.
Every day last week registered well over a thousand - one day it was
three thousand.
The overwhelming pattern of these addresses was a plausible name -
sometimes with underscores - followed by a two-letter suffix, such as
clarencehastingsqi or sheridan_vo or rgainesgk or jordanpowerskc, none
of which seemed to have any relevance to our users. This pattern of
non-existent addresses seemed to be exclusive to one of the domains
which our mailer serves: the relatively normal level of non-existent
addresses on the other domains still showed much the pattern that they
usually do.
Over the course of the last day and a half, however, we've clocked-up
no more than about 600 hits for bounces to unknown users. So whatever
the cause was, it seems be subsiding now. Perhaps the perps have gone
on holiday as of 4th July (there might be a significant message in
that).
TJW said:
|Add aliases for a couple of those non-existant addresses to your
|mailbox and take a look.
|
|My suspicion is:
|
|4. Infected emails forged with non-existant senders at your site
|bouncing off of another site's AV filters.
I'm sorry to say that - as the non-existent addresses didn't seem to
be repeating - that didn't help; then I was diverted by other
issues and didn't get to try anything else till the weekend.
By then I had learned (courtesy of the FAQ) how to add a router
definition to catch all unknown addresses in the affected domain, and
divert them to me for inspection. I did that for a short period of
time.
However, by then (as you see from my remarks above) the flood had
really abated. But I _did_ catch one which matched the pattern, and a
quick comparison with n.a.n-a.sightings shows that I've hit the spot.
It's the dreaded "get bigger private parts" spam. I'm sorry I hadn't
realised that sooner!
Anyhow, what had been in my mind when I first spotted this, and why I
decided to raise it as a question, was that I was worried that someone
had found a new way to perform dictionary scanning or address-list
laundering via innocent third-parties.
Thanks for the useful comments, regardless of the outcome :-}