Security Incidents mailing list archives
Re: FW: Postmaster notify: User unknown
From: RC <Robert () CUTTLE COM>
Date: Tue, 19 Dec 2000 15:33:40 -0500
Funny how these things come up, I received this today in my admin mailbox. Exchange Server 5.5 sp3 NT 4.0 sp5 I'm currently reading Technet article on Exchange Relay, interesting. Robert Cuttle ********** The following recipients did not receive the attached mail. Reasons are listed with each recipient: <mailrelay () aol net> mailrelay () aol net MSEXCH:IMS:MLM:GR1:EXCHANGE 0 (000C05A6) Unknown Recipient <mailrelay%aol.net () aol com> mailrelay%aol.net () aol com MSEXCH:IMS:MLM:GR1:EXCHANGE 0 (000C05A6) Unknown Recipient The message that caused this notification was: SUBJECT: ORT:1:63.209.140.30:STD_RELAY|PCT_DOMAIN:1 63.209.140.30 is an open relay!!!! ----- Original Message ----- From: "Jim Roland" <jroland () ROLAND NET> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Tuesday, December 19, 2000 14:15 Subject: Re: FW: Postmaster notify: User unknown Not entirely odd. A frequent trick of spammers is to "test" a system first to see if it's an open relay. If it attempts to pass an email through an open relay (returning 550 errors for a domain that you're not a part of, and you're not authenticated on the mail server), then you have an open relay. Lock your system down before you see real traffic get relayed. ----- Original Message ----- From: "Nexus" <nexus () PATROL I-WAY CO UK> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Tuesday, December 19, 2000 2:42 AM Subject: Re: FW: Postmaster notify: User unknown
Hi folks, Could be a brute force attempt to enumerate valid usernames, or maybe somethings silly like that - do you have the full, original SMTP header at all ? ie they may have been playing with the reply to: field and the like. That would be very useful in trying to establish what has occured. It is odd that you rec'd a bounced mail from a hotmail address Regards, JJ ----- Original Message ----- From: "Paul Snedden" <psnedden () GBMLOGIC COM AU> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Tuesday, December 19, 2000 1:14 AM Subject: FW: Postmaster notify: User unknown-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, This mail appeared in my Inbox last Friday morning. I present this unto you all for your evaluation and recommendation. I believe an intruder has accessed my email server for their own purposes. Am I correct?-----Original Message----- From: Mail Delivery Subsystem [mailto:MAILER-DAEMON () nsw gbmlogic com au] Sent: Thursday, December 14, 2000 9:53 PM To: postmaster () nsw gbmlogic com au Subject: Postmaster notify: User unknown The original message was received at Thu, 14 Dec 2000 21:53:06 +1100 from localhost ----- The following addresses had permanent fatal errors ----- <davidputty12 () hotmail com> ----- Transcript of session follows ----- ... while talking to mc5.law5.hotmail.com.:RCPT To:<davidputty12 () hotmail com><<< 550 Requested action not taken:user account inactive 550 <davidputty12 () hotmail com>... User unknown-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 Int. for non-commercial use <http://www.pgpinternational.com> iQA/AwUBOj4p0Xz2HXQUsCJOEQKSMgCgnY0fIToqS2kPqXjbdEZEQ2EXESUAoMm5 SQA//mRJpICpBtF8uBuXY0wh =OZhA -----END PGP SIGNATURE-----____________________________________________ http://1cis.com Free E-mail Servers with unlimited mailboxes 1st Class Internet Solutions
Current thread:
- FW: Postmaster notify: User unknown Paul Snedden (Dec 18)
- Re: FW: Postmaster notify: User unknown Jay D. Dyson (Dec 19)
- Re: FW: Postmaster notify: User unknown Mike Lewinski (Dec 19)
- Re: FW: Postmaster notify: User unknown Mark Durham (Dec 19)
- Re: FW: Postmaster notify: User unknown Nexus (Dec 19)
- Re: FW: Postmaster notify: User unknown Jim Roland (Dec 19)
- Re: FW: Postmaster notify: User unknown RC (Dec 19)
- Re: FW: Postmaster notify: User unknown Jim Roland (Dec 19)
- <Possible follow-ups>
- Re: Postmaster notify: User unknown Mark Collins (Dec 19)
- Re: Postmaster notify: User unknown Jay D. Dyson (Dec 19)
- Re: FW: Postmaster notify: User unknown Jay D. Dyson (Dec 19)