I hope I'm posting in the proper forum, as I never seen of that sort of attack before.

Starting about two weeks ago, I have been receiving around 15000 emails per day all sent to non existing addresses.

My usual level of spam is around 1000 per day domainwide.
What makes me think of an attack is that all these messages are send to a small list of 15/20 unique email addresses coming from an average 200/300 distinct IP addresses.

These email addresses do not resemble existing or discarded addresses. They do not resemble variations on existing or discarded addresses. The email addresses look like random letters, nothing like a dictionary attack. So I do not think it's 'regular' spam as it has no chance of being delivered.

The IP addresses are geographically scattered all over the internet.

I do not know the contents of the message as they are rejected by my smtp server.

My current thinking is that they
1) try to swamp my server by getting them to send a ton of bounce messages or
2) try to use my server for a backscatter attack.

I'm not sure what to do:
Firewall/blacklisting does not seem appropriate as the IP addresses change everyday.
The number of email per IP seems too low to trigger a reasonable IDS rule.

Anyone seen something like that before ?

Pierre.

If the domain of the recipient address is not one of yours, they may be trying to relay through your server. (possibly an attempt to get you black listed?)

Are your servers bouncing these messages? If they are being sent to nonexistent addresses, you should be discarding them rather than bouncing them to a forged return address.

If they are being sent to a small number of non-existent addresses, you could create a user with one of those addresses long enough to collect some samples and see what is going on, then delete that address again.