Mail Attack

[Ed Wilts]

On Tue, Aug 23, 2005 at 10:09:02PM +0600, Aroop Maliakkal wrote:
> The <> messages are bounced messages. Someone may be spammed from your 
> server and those address falied is bouncing back now. Make sure your 
> server is secure and no one abusing it. Check for malicious scripts ...( 
> expecially in /tmp..)...
> Have a nice hunting:-)

Another possibility is that somebody outside of your organization forged
their From: addresses to be from your domain.  They then spam like crazy
and all the bounce messages go to you.  Somebody did that to us and it's
not easy to recover from.  The bounce messages come from all over so you
can't block the senders (the sending host is likely legitimate anyway).

In our case, it happened to be a inactive domain.  We just directed that
domain to a black hole and the firewalls dropped the smtp messages.  If
the domain is active, there's not a lot you can do except ride out the
storm.  Are the messages coming to random usernames or a handful of
specific ones?  If they're specific, you can add mail access rules to
sendmail to discard those and that will help the flood a bit.  If
they're random, you can't block by source and you can't block by
destination.  Not good...

No penalty is severe enough for a spammer.

        .../Ed

> Jessica Zhu wrote:
> 
> >Hi,
> >
> >It looks like we are experiencing the mail attack now.
> >
> >In our maillog, we have a lot of User Unknown message like the following.
> >
> >Aug 23 11:52:25  s1 sendmail[2110]: j7NFqPL02110:  
> ><Oscard at mathforum.org>... User unknown
> >Aug 23 11:52:25 s1 sendmail[2110]: j7NFqPL02110: from=<>, 
> >size=17601, class=0, nrcpts=0, proto=ESMTP, daemon=MTA,  
> >relay=mail.vis-inc.net [66.77.28.202]
> >
> >It looks like that all the from is <>, does anyone have the way to fight 
> >against it. 
> >
> >Jessica

-- 
Ed Wilts, RHCE
Mounds View, MN, USA
mailto:ewilts at ewilts.org
Member #1, Red Hat Community Ambassador Program