Sounds like the AUTH-FAIL attack, which we have seen operating on
Windows machines, eg mailcracker.exe.
Several RBL's are dedicated to reporting on these.. Sometimes the attack
engine is not properly configured, and you get stuff like this, but of
course more information is needed.
This could be another script kiddie attack..
Was it distributed IP(s), a single IP, ..
Again, it helps when asking about attacks to provide a little more log
information.
(Check the IP against SpamRats, SpamHaus etc.)
On 15-10-21 08:31 AM, eric-l...@truenet.com wrote:
I don't know if this is possible with milter, but could you setup a block
rule that logs ips for a deny afterwards?
IE. Sort of like a greylist but the opposite effect.
Sincerely,
Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300
F: 610-429-3222
-----Original Message-----
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Lou Katz
Sent: Tuesday, October 20, 2015 3:29 PM
To: mailop@mailop.org
Subject: [mailop] Odd attack experienced
Today I was hit wit an attack from multiple sources:
(over 32,000 in the log. I run sendmail)
mail from: <>
rcpt to: <firsname.lastname@>
rset
over and over. Notice the missing hostname.
Anyone have any clever (or stupid) ways to stop this?
Anyone seen it before and/or know what its real purpose is?
Feh
_______________________________________________
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop
