[Mimedefang] Successive Unknown Users

Mon Dec 2 15:15:02 EST 2002

This is probably one of the better definitions of what I've seen
occurring over the net lately.

Dec  2 14:38:34 access sendmail[30565]: gB2JcSCl030565:
<WILLIAMjohn at hky.com>... User unknown
Dec  2 14:38:34 access sendmail[30565]: gB2JcSCl030565:
<WILLIAMelmore at hky.com>... User unknown
Dec  2 14:38:34 access sendmail[30565]: gB2JcSCl030565:
<WILLIAMnovak at hky.com>... User unknown
Dec  2 14:38:34 access sendmail[30565]: gB2JcSCl030565:
<WILLIAMmanley at hky.com>... User unknown
Dec  2 14:38:34 access sendmail[30565]: gB2JcSCl030565:
<WILLIAMrubio at hky.com>... User unknown
Dec  2 14:38:34 access sendmail[30565]: gB2JcSCl030565:
<WILLIAMplummer at hky.com>... User unknown
Dec  2 14:38:34 access sendmail[30565]: gB2JcSCl030565:
<WILLIAMwills at hky.com>... User unknown
Dec  2 14:38:34 access sendmail[30565]: gB2JcSCl030565:
<WILLIAMgrace at hky.com>... User unknown
Dec  2 14:38:34 access sendmail[30565]: gB2JcSCl030565:
<WILLIAMworley at hky.com>... User unknown
Dec  2 14:38:34 access sendmail[30565]: gB2JcSCl030565:
<WILLIAMgorman at hky.com>... User unknown
Dec  2 14:38:34 access sendmail[30565]: gB2JcSCl030565:
<WILLIAMelkins at hky.com>... User unknown
Dec  2 14:38:34 access sendmail[30565]: gB2JcSCl030565:
<WILLIAMblue at hky.com>... User unknown
Dec  2 14:38:34 access sendmail[30565]: gB2JcSCl030565:
<WILLIAMgary at hky.com>... User unknown
Dec  2 14:38:34 access sendmail[30565]: gB2JcSCl030565:
<WILLIAMfontenot at hky.com>... User unknown
Dec  2 14:38:34 access sendmail[30565]: gB2JcSCl030565:
<WILLIAMhilton at hky.com>... User unknown
Dec  2 14:38:34 access sendmail[30565]: gB2JcSCl030565:
<WILLIAMherron at hky.com>... User unknown
Dec  2 14:38:34 access sendmail[30565]: gB2JcSCl030565:
<WILLIAMmoyer at hky.com>... User unknown
Dec  2 14:38:34 access sendmail[30565]: gB2JcSCl030565:
<WILLIAMrucker at hky.com>... User unknown
Dec  2 14:38:34 access sendmail[30565]: gB2JcSCl030565:
<WILLIAMseymour at hky.com>... User unknown
Dec  2 14:38:34 access sendmail[30565]: gB2JcSCl030565:
<WILLIAMhickey at hky.com>... User unknown
Dec  2 14:38:34 access sendmail[30565]: gB2JcSCl030565:
<WILLIAMcramer at hky.com>... User unknown
Dec  2 14:38:34 access sendmail[30565]: gB2JcSCl030565:
<WILLIAMgoldstein at hky.com>... User unknown
Dec  2 14:38:34 access sendmail[30565]: gB2JcSCl030565:
<WILLIAMfield at hky.com>... User unknown
Dec  2 14:38:34 access sendmail[30565]: gB2JcSCl030565:
<WILLIAMpierson at hky.com>... User unknown
Dec  2 14:38:34 access sendmail[30565]: gB2JcSCl030565:
<WILLIAMgibbons at hky.com>... User unknown
Dec  2 14:38:35 access sendmail[30565]: gB2JcSCl030565:
from=<erc at alphalink.com.au>, size=0, class=0, nrcpts=0,
proto=SMTP, daemon=MTA,
relay=dialin-160-157.vancouver.primus.ca [209.90.160.157]

While the end result on this was that there was nothing left to deliver,
I would like to block these Bozo's or perhaps get their Connection
Pulled.  Is there an alarm that can be generated for events of this
nature?

Any suggestions?

--
Albert E. Whale - CISSP
http://www.abs-comptech.com
----------------------------------------------------------------------
ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists
Sr. Security, Network, and Systems Consultant
Board of Directors - InfraGard - Pittsburgh, PA