Under attack

It started this afternoon, a huge distributed dictionary spam attack. I’m seeing lots of computers trying to send email to random email addresses on my server:


postfix/smtpd[16754]: NOQUEUE: reject: RCPT from host[x.x.x.x]: 450 4.1.1 warchief2005@....com: Recipient address rejected
postfix/smtpd[16997]: NOQUEUE: reject: RCPT from host[x.x.x.x]: 450 4.1.1 Letitia-votera@....com: Recipient address rejected
postfix/smtpd[16754]: NOQUEUE: reject: RCPT from host[x.x.x.x]: 450 4.1.1 waterzon1995@....com: Recipient address rejected

All of these mails (50.000 of them, despite adaptive firewalling) go to the same domain, so it must be coordinated somewhere. I’m using fail2ban, which keeps my system relatively stress-free (load still smaller than 0.5). To give a sense of scale: on average, there’s around 60 hosts blocked by fail2ban. Bans last for 10 minutes, so that’s quite a lot of hosts targeting my server.

Anyone seen similar stuff happening?

Posted: June 3, 2009 00:08

Comments