This looks like a "dictionary attack". The concept is that a spammer will attempt to send the message to nearly random addresses from a list (dictionary) of probable names/addresses.
In practice (lately) they don't pay much attention to which ones get delivered and which ones don't, but there are some who will track those messages that actually do get delivered and then add those to lists for sale. There's nothing you can really do about this... though it is an opportunity to set up spam traps if you're interested in that. Hope this helps, _M |-----Original Message----- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Ron Hiller |Sent: Friday, November 28, 2003 2:50 PM |To: [EMAIL PROTECTED] |Subject: RE: [IMail Forum] loads of mail in spool | | |A new discovery. I have gone through the SMTP logs and there |are many occurrances of invalid addresses. The odd thing is |that they all contain our domain, but here is the funny thing. | The usernames all appear to be either first names, last names |concatinations of the two or misspelled usernames of people |who exist on either our IMail server or our Exchange server. |Could there be a virus at work here or some kind of attack? |It all seems very weird. | |Any suggestions or ideas? | |-----Original Message----- |From: R. Scott Perry [mailto:[EMAIL PROTECTED] |Sent: November 28, 2003 12:18 PM |To: [EMAIL PROTECTED] |Subject: RE: [IMail Forum] loads of mail in spool | | | |>I am having the same problem too. They all seem to be undeliverable |>and |>IMail does not know what to do with them anymore. This just |happened out |>of the blue. |>Received: from excalibur.TTPGroup.com [172.16.40.30] by |>excalibur.techprt.co.uk |> (SMTPD32-8.00) id AB595330188; Thu, 27 Nov 2003 00:54:49 +0000 |>Received: FROM excalibur.techprt.co.uk BY |excalibur.TTPGroup.com ; Thu Nov |>27 00:54:49 2003 0000 |>Received: from excalibur.TTPGroup.com [172.16.40.30] by |>excalibur.techprt.co.uk |> (SMTPD32-8.00) id AB595320188; Thu, 27 Nov 2003 00:54:49 +0000 |>Received: FROM excalibur.techprt.co.uk BY |excalibur.TTPGroup.com ; Thu Nov |>27 00:54:48 2003 0000 | |Here, WebShield sends an E-mail to IMail, IMail sends it to |WebShield, and |so on. | |It seems that the problem may be related to the fact that nasty 'old |WebShield (which, BTW, is friendly to spammers, automatically |hiding all |information about them from the headers!) claims to be |excalibur.TTPGroup.com. I'm guessing that it is sending E-mail to |"[EMAIL PROTECTED]", which isn't valid. | |You'll need to look at the IMail SMTP log file entries to see what is |happening. If you don't understand them, you can post them |here, and we |can help. | | | | -Scott |--- |Declude JunkMail: The advanced anti-spam solution for IMail |mailservers. Declude Virus: Catches known viruses and is the |leader in mailserver |vulnerability detection. |Find out what you've been missing: Ask about our free 30-day |evaluation. | |--- |[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
