These past few months, I've been getting an awful lot of bounce or delay messages, from unfamiliar hosts around the world, informing me of difficulty in delivering mail ostensibly from one or another of my addresses to, typically, one of the big free-email services.
I've been unsure whether these were actual bounces of spam on which my return address had been forged, or intentional reflectospam meant to be delivered to me disguised as bounce messages.
Either way, there must be a lot of misconfigured mail severs out there.
Well, lately my server log has been showing a lot of these:
2012-11-15 07:59:55 login_courier_authdaemon authenticator failed for ([192.168.2.33]) [213.153.47.1]: 535 Incorrect authentication data (set_id=cox)
2012-11-15 07:59:56 login_courier_authdaemon authenticator failed for ([192.168.2.33]) [213.153.47.1]: 535 Incorrect authentication data (set_id=cox)
2012-11-15 07:59:56 login_courier_authdaemon authenticator failed for ([192.168.2.33]) [213.153.47.1]: 535 Incorrect authentication data (set_id=cox)
2012-11-15 07:59:56 login_courier_authdaemon authenticator failed for ([192.168.2.33]) [213.153.47.1]: 535 Incorrect authentication data (set_id=cox)
2012-11-15 07:59:57 login_courier_authdaemon authenticator failed for ([192.168.2.33]) [213.153.47.1]: 535 Incorrect authentication data (set_id=cox)
and
2012-11-15 08:27:10 login_courier_authdaemon authenticator failed for 173-162-251-81-newengland.hfc.comcastbusiness.net ([192.168.2.33]) [173.162.251.81]: 535 Incorrect authentication data (set_id=dennis)
2012-11-15 08:27:10 login_courier_authdaemon authenticator failed for 173-162-251-81-newengland.hfc.comcastbusiness.net ([192.168.2.33]) [173.162.251.81]: 535 Incorrect authentication data (set_id=dennis)
2012-11-15 08:27:10 login_courier_authdaemon authenticator failed for 173-162-251-81-newengland.hfc.comcastbusiness.net ([192.168.2.33]) [173.162.251.81]: 535 Incorrect authentication data (set_id=dennis)
2012-11-15 08:27:11 login_courier_authdaemon authenticator failed for 173-162-251-81-newengland.hfc.comcastbusiness.net ([192.168.2.33]) [173.162.251.81]: 535 Incorrect authentication data (set_id=dennis)
2012-11-15 08:27:11 login_courier_authdaemon authenticator failed for 173-162-251-81-newengland.hfc.comcastbusiness.net ([192.168.2.33]) [173.162.251.81]: 535 Incorrect authentication data (set_id=dennis)
So: a zombie horde is knocking on my mail server in search of an open relay, and using a different zombie machine each time to get around fail2ban and such.
Must be some new botnet I hadn't seen mentioned anywhere.
I have observed the same behavior on our email server. This has spiked in the last couple days (11/14/12 and 11/15/12). We are located in Massachusetts.
Posted by: Tom Rupprecht | Thursday, 15 November 2012 at 09:21