Hi All,
I'm just wondering if it's a hacker targeting me, or a virus hitting
everyone - someone's using "broken" MTAs to "bounce" millions of
emails at all my servers for the last month or so.
I am guessing that this attack is mounted like this:
A) Perpetrator connects to any real mail server
B) Perpetrator fakes a MAIL FROM: an email address of my server (which
does not exist - and the pattern seems to be that they're choosing
a deliberately non-existent address: I don't know why). mail
server chooses not to do SPF, so accepts this lie.
C) Perpetrator sends a RCPT TO: an email address on the real mail
server (which deliberately does not exist I expect)
D) The real "misconfigured" mail server somehow this email
(my guess is that they're trying to prevent dictionary attacks?)
E) That mail server then originates a "bounce" for this faked email
back to my server. Thousands of different legitimate mail servers
are doing this, so my mail servers get swamped by crap that's
impossible for me to firewall or block (because it's a real
legitimate mail server "attacking" me). It's also impossible to
reliably (or at all) work out the IP address of the attacker.
Kind Regards,
Chris Drake