Mail Attack

Robert Williams rwilliams at covenantdata.com
Tue Aug 23 18:03:13 UTC 2005 

And all of those ideas are excellent that were offered as well.

http://www.covenantdata.com ...Where data becomes information!

 
Robert Williams
Programmer / Web Developer / Network Administrator
Covenant Data Systems, Inc.
http://www.covenantdata.com
rwilliams at covenantdata.com  
 

-----Original Message-----
From: redhat-list-bounces at redhat.com [mailto:redhat-list-bounces at redhat.com]
On Behalf Of Jessica Zhu
Sent: Tuesday, August 23, 2005 12:28 PM
To: General Red Hat Linux discussion list
Subject: Re: Mail Attack

Hi Ed,


On Tue, 23 Aug 2005, Ed Wilts wrote:

> On Tue, Aug 23, 2005 at 10:09:02PM +0600, Aroop Maliakkal wrote:
> > The <> messages are bounced messages. Someone may be spammed from your 
> > server and those address falied is bouncing back now. Make sure your 
> > server is secure and no one abusing it. Check for malicious scripts ...(

> > expecially in /tmp..)...
> > Have a nice hunting:-)
> 

/tmp was checked. Nothing turned out. Part of the bounced back messages 
which included detailed header for original mail checked, till now no one 
is really from us.

> Another possibility is that somebody outside of your organization forged
> their From: addresses to be from your domain.  They then spam like crazy
> and all the bounce messages go to you.  Somebody did that to us and it's
> not easy to recover from.  The bounce messages come from all over so you
> can't block the senders (the sending host is likely legitimate anyway).
> 

That's exactly what happened to us. Somebody outside of our organization 
forged the From: addresses and we became the victim to that. At this 
point, it seemed that our syslog is so busy to write the maillog that it 
becomes a heavy process. This morning around 8AM, this drives our system 
load over 20 and the system becomes slower and slower. Now it seemed the 
worst time is over. However, I worried with such baounced back volumes 
increasing, our system can not afford to it finally.

> In our case, it happened to be a inactive domain.  We just directed that
> domain to a black hole and the firewalls dropped the smtp messages.  If
> the domain is active, there's not a lot you can do except ride out the
> storm.  Are the messages coming to random usernames or a handful of
> specific ones?  If they're specific, you can add mail access rules to

All the messages come to random usernames. A lot don't exist.

> sendmail to discard those and that will help the flood a bit.  If
> they're random, you can't block by source and you can't block by
> destination.  Not good...
> 
> No penalty is severe enough for a spammer.

Absolutely. We cannot afford the system down. So really hope someone here 
has the solution for this.

Jessica 


> 
> > Jessica Zhu wrote:
> > 
> > >Hi,
> > >
> > >It looks like we are experiencing the mail attack now.
> > >
> > >In our maillog, we have a lot of User Unknown message like the
following.
> > >
> > >Aug 23 11:52:25  s1 sendmail[2110]: j7NFqPL02110:  
> > ><Oscard at mathforum.org>... User unknown
> > >Aug 23 11:52:25 s1 sendmail[2110]: j7NFqPL02110: from=<>, 
> > >size=17601, class=0, nrcpts=0, proto=ESMTP, daemon=MTA,  
> > >relay=mail.vis-inc.net [66.77.28.202]
> > >
> > >It looks like that all the from is <>, does anyone have the way to
fight 
> > >against it. 
> > >
> > >Jessica
> 
> 

-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list