Mail Attack

Jessica Zhu jessica at mathforum.org
Tue Aug 23 17:27:50 UTC 2005


Hi Ed,


On Tue, 23 Aug 2005, Ed Wilts wrote:

> On Tue, Aug 23, 2005 at 10:09:02PM +0600, Aroop Maliakkal wrote:
> > The <> messages are bounced messages. Someone may be spammed from your 
> > server and those address falied is bouncing back now. Make sure your 
> > server is secure and no one abusing it. Check for malicious scripts ...( 
> > expecially in /tmp..)...
> > Have a nice hunting:-)
> 

/tmp was checked. Nothing turned out. Part of the bounced back messages 
which included detailed header for original mail checked, till now no one 
is really from us.

> Another possibility is that somebody outside of your organization forged
> their From: addresses to be from your domain.  They then spam like crazy
> and all the bounce messages go to you.  Somebody did that to us and it's
> not easy to recover from.  The bounce messages come from all over so you
> can't block the senders (the sending host is likely legitimate anyway).
> 

That's exactly what happened to us. Somebody outside of our organization 
forged the From: addresses and we became the victim to that. At this 
point, it seemed that our syslog is so busy to write the maillog that it 
becomes a heavy process. This morning around 8AM, this drives our system 
load over 20 and the system becomes slower and slower. Now it seemed the 
worst time is over. However, I worried with such baounced back volumes 
increasing, our system can not afford to it finally.

> In our case, it happened to be a inactive domain.  We just directed that
> domain to a black hole and the firewalls dropped the smtp messages.  If
> the domain is active, there's not a lot you can do except ride out the
> storm.  Are the messages coming to random usernames or a handful of
> specific ones?  If they're specific, you can add mail access rules to

All the messages come to random usernames. A lot don't exist.

> sendmail to discard those and that will help the flood a bit.  If
> they're random, you can't block by source and you can't block by
> destination.  Not good...
> 
> No penalty is severe enough for a spammer.

Absolutely. We cannot afford the system down. So really hope someone here 
has the solution for this.

Jessica 


> 
> > Jessica Zhu wrote:
> > 
> > >Hi,
> > >
> > >It looks like we are experiencing the mail attack now.
> > >
> > >In our maillog, we have a lot of User Unknown message like the following.
> > >
> > >Aug 23 11:52:25  s1 sendmail[2110]: j7NFqPL02110:  
> > ><Oscard at mathforum.org>... User unknown
> > >Aug 23 11:52:25 s1 sendmail[2110]: j7NFqPL02110: from=<>, 
> > >size=17601, class=0, nrcpts=0, proto=ESMTP, daemon=MTA,  
> > >relay=mail.vis-inc.net [66.77.28.202]
> > >
> > >It looks like that all the from is <>, does anyone have the way to fight 
> > >against it. 
> > >
> > >Jessica
> 
> 




More information about the redhat-list mailing list