A few weeks ago, some spammer sent out a spam wave abusing one of my domains (fortunately one I havn’t been using much). I quickly reacted by rejecting all mail to this domain.

However, I’m still seeing frequent mail delivery attempts. Apparently spammers have “discovered” the email address one of them invented, and are now spamming these addresses. Great… that’s like… spammer masturbation? making up your own email addresses to spam to…

And worse: apparently they’re now trying to bypass greylisting. Looks like we’ve now hit the point where greylisting will lose much of it’s effectiveness we all love it for. :-( thats really bad news.

Here’s an excerpt from my logs (addresses removed to protect the invented):

Dec 10 14:58:54 postfix/smtpd[25738]: NOQUEUE: reject: RCPT from unknown[89.129.198.153]: 550 <agricolaapocalyptic@mydomain.tld>: Recipient address rejected: Spammers invented this address, it does not exist.; from=<random@random.tld> to=<agricolaapocalyptic@mydomain.tld> proto=ESMTP helo=<mail.001sm.com>
Dec 10 15:00:25 postfix/smtpd[15969]: NOQUEUE: reject: RCPT from unknown[89.129.198.153]: 550 <agricolaapocalyptic@mydomain.tld>: Recipient address rejected: Spammers invented this address, it does not exist.; from=<random2@random2.tld> to=<agricolaapocalyptic@mydomain.tld> proto=ESMTP helo=<mx1.cnm.cn>
Dec 10 15:02:35 postfix/smtpd[15139]: NOQUEUE: reject: RCPT from unknown[89.129.198.153]: 550 <agricolaapocalyptic@mydomain.tld>: Recipient address rejected: Spammers invented this address, it does not exist.; from=<random3@random3.tld> to=<agricolaapocalyptic@mydomain.tld> proto=ESMTP helo=<mx2.fr.clara.net>
Dec 10 15:04:40 postfix/smtpd[10646]: NOQUEUE: reject: RCPT from unknown[89.129.198.153]: 550 <agricolaapocalyptic@mydomain.tld>: Recipient address rejected: Spammers invented this address, it does not exist.; from=<random4@random4.tld> to=<agricolaapocalyptic@mydomain.tld> proto=ESMTP helo=<mail.1-shops.com>
Dec 10 15:06:46 postfix/smtpd[20414]: NOQUEUE: reject: RCPT from unknown[89.129.198.153]: 550 <agricolaapocalyptic@mydomain.tld>: Recipient address rejected: Spammers invented this address, it does not exist.; from=<random5@random5.tld> to=<agricolaapocalyptic@mydomain.tld> proto=ESMTP helo=<aspmx2.googlemail.com>
Dec 10 15:09:48 postfix/smtpd[20608]: NOQUEUE: reject: RCPT from efi235.internetdsl.tpnet.pl[83.14.242.235]: 550 <agricolaapocalyptic@mydomain.tld>: Recipient address rejected: Spammers invented this address, it does not exist.; from=<random6@random6.tld> to=<agricolaapocalyptic@mydomain.tld> proto=ESMTP helo=<efi235.internetdsl.tpnet.pl>

Yes, that is one host retrying for 8 minutes (usually enough to bypass a greylist), another one a few minutes later, and a third one 5 days later (not included in the log); hosts that didn’t make it past the RBL are not included. All in all I count 148 email delivery attemts to this address.

And all on a random email in my domain that never existed, and is not a dictionary address like sales@domain.tld; but this probably means I won’t be able to enable a catchall for this domain ever again or face loads of spam. OTOH, my spam filter can probably learn that “agricolaapocalyptic” is a sure indicator for spam and just discard all of it.

P.S. this effect makes it more plausible that spammers are grabbing the Outlook address books of Windows users to use for spam; it’s plausible the spam-address was auto-collected by outlook and then in turn collected by the next spammer. Maybe we really need to create random addresses until they give up on having sane databases sometime? Or at least blacklist our domains for their email collectors…