>From 10:36 to 10:39 -0400 yesterday we saw a coordinated set of
340 smtp connections from 119 scattered IP addresses all claiming
to be from random string @fbi.com.  They said they had up to 1000
recipients each (many were exactly 1000) but they did not send
mail.  Sendmail logged them as "lost input channel ...  after rcpt".

This could have been a serious attack had they really sent mail.

There is a domain called fbi.com but this of course might be
unrelated to them.

Did anyone else see this or should we feel special?

Here's just over a second of syslog on one host:

syslog.tepin.gz:Jul 12 10:39:23 tepin sm-mta[12410]:
[ID 801593 mail.info] i6CEc333012410: from=<ocifnfqi at fbi.com>,
size=0, class=0,
nrcpts=400, proto=SMTP, daemon=MTA-v4,
relay=chello062178064059.22.11.vie.surfer.at []

syslog.tepin.gz:Jul 12 10:39:24 tepin sm-mta[11584]:
[ID 801593 mail.info] i6CEYLVx011584: from=<wqjwiivm at fbi.com>,
size=0, class=0,
nrcpts=620, proto=SMTP, daemon=MTA-v4,
relay=h000cf18a05d9.ne.client2.attbi.com []

syslog.tepin.gz:Jul 12 10:39:24 tepin sm-mta[12307]:
[ID 801593 mail.info] i6CEbR1Y012307: from=<gvyimhxu at fbi.com>,
size=0, class=0,
nrcpts=300, proto=SMTP, daemon=MTA-v4,
relay=12-222-33-59.client.insightBB.com []

syslog.tepin.gz:Jul 12 10:39:24 tepin sm-mta[12325]:
[ID 801593 mail.info] i6CEbchi012325: from=<xvbjruva at fbi.com>,
size=0, class=0,
nrcpts=580, proto=SMTP, daemon=MTA-v4,
relay=24-151-171-188.chartertn.net []

syslog.tepin.gz:Jul 12 10:39:24 tepin sm-mta[12375]:
[ID 801593 mail.info] i6CEc2qa012375: from=<kkmfbfth at fbi.com>,
size=0, class=0,
nrcpts=110, proto=SMTP, daemon=MTA-v4,

syslog.tepin.gz:Jul 12 10:39:24 tepin sm-mta[12450]:
[ID 801593 mail.info] i6CEcH0e012450: from=<einkahqb at fbi.com>,
size=0, class=0,
nrcpts=110, proto=SMTP, daemon=MTA-v4,

syslog.tepin.gz:Jul 12 10:39:24 tepin sm-mta[12490]:
[ID 801593 mail.info] i6CEcSP3012490: from=<uonksrdo at fbi.com>,
size=0, class=0,
nrcpts=140, proto=SMTP, daemon=MTA-v4,

syslog.tepin.gz:Jul 12 10:39:24 tepin sm-mta[12555]:
[ID 801593 mail.info] i6CEcoNh012555: from=<oxqsfaxu at fbi.com>,
size=0, class=0,
nrcpts=100, proto=SMTP, daemon=MTA-v4,
relay=wbar14.tmp-4-12-070-102.dsl-verizon.net []

syslog.tepin.gz:Jul 12 10:39:25 tepin sm-mta[11647]:
[ID 801593 mail.info] i6CEYXoN011647: from=<pqhqtxsi at fbi.com>,
size=0, class=0,
nrcpts=980, proto=SMTP, daemon=MTA-v4,
relay=id-cralid-cuda2a-64-130.losaca.adelphia.net []

