Mail Attack

Jessica Zhu jessica at mathforum.org
Tue Aug 23 19:47:45 UTC 2005 

On Wed, 24 Aug 2005, Steve Phillips wrote:

> Jessica Zhu wrote:
> > Hi Ed,
> > 
> > 
> > On Tue, 23 Aug 2005, Ed Wilts wrote:
> > 
> > 
> >>On Tue, Aug 23, 2005 at 10:09:02PM +0600, Aroop Maliakkal wrote:
> >>
> >>>The <> messages are bounced messages. Someone may be spammed from your 
> >>>server and those address falied is bouncing back now. Make sure your 
> >>>server is secure and no one abusing it. Check for malicious scripts ...( 
> >>>expecially in /tmp..)...
> >>>Have a nice hunting:-)
> >>
> > 
> > /tmp was checked. Nothing turned out. Part of the bounced back messages 
> > which included detailed header for original mail checked, till now no one 
> > is really from us.
> > 
> > 
> >>Another possibility is that somebody outside of your organization forged
> >>their From: addresses to be from your domain.  They then spam like crazy
> >>and all the bounce messages go to you.  Somebody did that to us and it's
> >>not easy to recover from.  The bounce messages come from all over so you
> >>can't block the senders (the sending host is likely legitimate anyway).
> >>
> > 
> > 
> > That's exactly what happened to us. Somebody outside of our organization 
> > forged the From: addresses and we became the victim to that. At this 
> > point, it seemed that our syslog is so busy to write the maillog that it 
> > becomes a heavy process. This morning around 8AM, this drives our system 
> > load over 20 and the system becomes slower and slower. Now it seemed the 
> > worst time is over. However, I worried with such baounced back volumes 
> > increasing, our system can not afford to it finally.
> > 
> > 
> >>In our case, it happened to be a inactive domain.  We just directed that
> >>domain to a black hole and the firewalls dropped the smtp messages.  If
> >>the domain is active, there's not a lot you can do except ride out the
> >>storm.  Are the messages coming to random usernames or a handful of
> >>specific ones?  If they're specific, you can add mail access rules to
> > 
> > 
> > All the messages come to random usernames. A lot don't exist.
> > 
> > 
> >>sendmail to discard those and that will help the flood a bit.  If
> >>they're random, you can't block by source and you can't block by
> >>destination.  Not good...
> >>
> >>No penalty is severe enough for a spammer.
> > 
> > 
> > Absolutely. We cannot afford the system down. So really hope someone here 
> > has the solution for this.
> > 
> > Jessica 
> > 
> > 
> > 
> >>>Jessica Zhu wrote:
> >>>
> >>>
> >>>>Hi,
> >>>>
> >>>>It looks like we are experiencing the mail attack now.
> >>>>
> >>>>In our maillog, we have a lot of User Unknown message like the following.
> >>>>
> >>>>Aug 23 11:52:25  s1 sendmail[2110]: j7NFqPL02110:  
> >>>><Oscard at mathforum.org>... User unknown
> >>>>Aug 23 11:52:25 s1 sendmail[2110]: j7NFqPL02110: from=<>, 
> >>>>size=17601, class=0, nrcpts=0, proto=ESMTP, daemon=MTA,  
> >>>>relay=mail.vis-inc.net [66.77.28.202]
> >>>>
> >>>>It looks like that all the from is <>, does anyone have the way to fight 
> >>>>against it. 
> >>>>
> >>>>Jessica
> >>
> >>
> > 
> in syslog.conf add a - to the start of the filename like so
> 
> mail.*<tab><tab><tab>-/var/log/maillog
> 
> The - tells syslog not to do an fsync each message and _really_ reduces 
> syslog load when it is busy, this will probably bring your mail server 
> under a little more control.

Great. It is immediately effective. The heavy syslogd process is gone. 

> 
> The next thing to do is examine the bounce messages and find out where 
> this originated and ring them. If this is still ongoing and they have 
> not terminated the spammer then add a postmaster redirect for that 
> domain temporarily to the postmaster at unresponsive.isp.com and you will 
> find the problem gets fixed usually within hours.
> 
> This happened to me with an AOL user spamming using <random 
> characters>@internet.co.nz and i was getting a few thousand messages an 
> hour comming into my postmaster account, after being told by a monkey to 
> "forward the spam to postmaster at aol.com sir !" and refusing to discuss 
> the issue I forwarded the 50,000 odd boounces I had collected and added 
> a redirect and within about a day it had stopped.
> 
> The big trick is to find the originator. - If you need help with this 
> them let us know and we can probably track them down for you.

Yes, with the bounce from all the places, it's really difficult for me to 
find out the originator. I really need help on this. What are the steps 
that I should take?

Jessica

More information about the redhat-list mailing list