[unisog] "fbi.com" near-attack

Joseph Brennan brennan at columbia.edu
Tue Jul 13 13:33:20 GMT 2004


>From 10:36 to 10:39 -0400 yesterday we saw a coordinated set of
340 smtp connections from 119 scattered IP addresses all claiming
to be from random string @fbi.com.  They said they had up to 1000
recipients each (many were exactly 1000) but they did not send
mail.  Sendmail logged them as "lost input channel ...  after rcpt".

This could have been a serious attack had they really sent mail.

There is a domain called fbi.com but this of course might be
unrelated to them.

Did anyone else see this or should we feel special?

Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York




Here's just over a second of syslog on one host:


syslog.tepin.gz:Jul 12 10:39:23 tepin sm-mta[12410]:
[ID 801593 mail.info] i6CEc333012410: from=<ocifnfqi at fbi.com>,
size=0, class=0,
nrcpts=400, proto=SMTP, daemon=MTA-v4,
relay=chello062178064059.22.11.vie.surfer.at [62.178.64.59]

syslog.tepin.gz:Jul 12 10:39:24 tepin sm-mta[11584]:
[ID 801593 mail.info] i6CEYLVx011584: from=<wqjwiivm at fbi.com>,
size=0, class=0,
nrcpts=620, proto=SMTP, daemon=MTA-v4,
relay=h000cf18a05d9.ne.client2.attbi.com [24.131.154.23]

syslog.tepin.gz:Jul 12 10:39:24 tepin sm-mta[12307]:
[ID 801593 mail.info] i6CEbR1Y012307: from=<gvyimhxu at fbi.com>,
size=0, class=0,
nrcpts=300, proto=SMTP, daemon=MTA-v4,
relay=12-222-33-59.client.insightBB.com [12.222.33.59]

syslog.tepin.gz:Jul 12 10:39:24 tepin sm-mta[12325]:
[ID 801593 mail.info] i6CEbchi012325: from=<xvbjruva at fbi.com>,
size=0, class=0,
nrcpts=580, proto=SMTP, daemon=MTA-v4,
relay=24-151-171-188.chartertn.net [24.151.171.188]

syslog.tepin.gz:Jul 12 10:39:24 tepin sm-mta[12375]:
[ID 801593 mail.info] i6CEc2qa012375: from=<kkmfbfth at fbi.com>,
size=0, class=0,
nrcpts=110, proto=SMTP, daemon=MTA-v4,
relay=[193.86.226.237]

syslog.tepin.gz:Jul 12 10:39:24 tepin sm-mta[12450]:
[ID 801593 mail.info] i6CEcH0e012450: from=<einkahqb at fbi.com>,
size=0, class=0,
nrcpts=110, proto=SMTP, daemon=MTA-v4,
relay=[211.175.178.162]

syslog.tepin.gz:Jul 12 10:39:24 tepin sm-mta[12490]:
[ID 801593 mail.info] i6CEcSP3012490: from=<uonksrdo at fbi.com>,
size=0, class=0,
nrcpts=140, proto=SMTP, daemon=MTA-v4,
relay=[218.29.50.88]

syslog.tepin.gz:Jul 12 10:39:24 tepin sm-mta[12555]:
[ID 801593 mail.info] i6CEcoNh012555: from=<oxqsfaxu at fbi.com>,
size=0, class=0,
nrcpts=100, proto=SMTP, daemon=MTA-v4,
relay=wbar14.tmp-4-12-070-102.dsl-verizon.net [4.12.70.102]

syslog.tepin.gz:Jul 12 10:39:25 tepin sm-mta[11647]:
[ID 801593 mail.info] i6CEYXoN011647: from=<pqhqtxsi at fbi.com>,
size=0, class=0,
nrcpts=980, proto=SMTP, daemon=MTA-v4,
relay=id-cralid-cuda2a-64-130.losaca.adelphia.net [67.22.64.130]







More information about the unisog mailing list