Mail Attack
Robert Williams
rwilliams at covenantdata.com
Tue Aug 23 18:03:13 UTC 2005
And all of those ideas are excellent that were offered as well.
http://www.covenantdata.com ...Where data becomes information!
Robert Williams
Programmer / Web Developer / Network Administrator
Covenant Data Systems, Inc.
http://www.covenantdata.com
rwilliams at covenantdata.com
-----Original Message-----
From: redhat-list-bounces at redhat.com [mailto:redhat-list-bounces at redhat.com]
On Behalf Of Jessica Zhu
Sent: Tuesday, August 23, 2005 12:28 PM
To: General Red Hat Linux discussion list
Subject: Re: Mail Attack
Hi Ed,
On Tue, 23 Aug 2005, Ed Wilts wrote:
> On Tue, Aug 23, 2005 at 10:09:02PM +0600, Aroop Maliakkal wrote:
> > The <> messages are bounced messages. Someone may be spammed from your
> > server and those address falied is bouncing back now. Make sure your
> > server is secure and no one abusing it. Check for malicious scripts ...(
> > expecially in /tmp..)...
> > Have a nice hunting:-)
>
/tmp was checked. Nothing turned out. Part of the bounced back messages
which included detailed header for original mail checked, till now no one
is really from us.
> Another possibility is that somebody outside of your organization forged
> their From: addresses to be from your domain. They then spam like crazy
> and all the bounce messages go to you. Somebody did that to us and it's
> not easy to recover from. The bounce messages come from all over so you
> can't block the senders (the sending host is likely legitimate anyway).
>
That's exactly what happened to us. Somebody outside of our organization
forged the From: addresses and we became the victim to that. At this
point, it seemed that our syslog is so busy to write the maillog that it
becomes a heavy process. This morning around 8AM, this drives our system
load over 20 and the system becomes slower and slower. Now it seemed the
worst time is over. However, I worried with such baounced back volumes
increasing, our system can not afford to it finally.
> In our case, it happened to be a inactive domain. We just directed that
> domain to a black hole and the firewalls dropped the smtp messages. If
> the domain is active, there's not a lot you can do except ride out the
> storm. Are the messages coming to random usernames or a handful of
> specific ones? If they're specific, you can add mail access rules to
All the messages come to random usernames. A lot don't exist.
> sendmail to discard those and that will help the flood a bit. If
> they're random, you can't block by source and you can't block by
> destination. Not good...
>
> No penalty is severe enough for a spammer.
Absolutely. We cannot afford the system down. So really hope someone here
has the solution for this.
Jessica
>
> > Jessica Zhu wrote:
> >
> > >Hi,
> > >
> > >It looks like we are experiencing the mail attack now.
> > >
> > >In our maillog, we have a lot of User Unknown message like the
following.
> > >
> > >Aug 23 11:52:25 s1 sendmail[2110]: j7NFqPL02110:
> > ><Oscard at mathforum.org>... User unknown
> > >Aug 23 11:52:25 s1 sendmail[2110]: j7NFqPL02110: from=<>,
> > >size=17601, class=0, nrcpts=0, proto=ESMTP, daemon=MTA,
> > >relay=mail.vis-inc.net [66.77.28.202]
> > >
> > >It looks like that all the from is <>, does anyone have the way to
fight
> > >against it.
> > >
> > >Jessica
>
>
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
More information about the redhat-list
mailing list