Mail Attack

Ed Wilts ewilts at ewilts.org
Tue Aug 23 18:39:02 UTC 2005 

On Tue, Aug 23, 2005 at 01:27:50PM -0400, Jessica Zhu wrote:
> On Tue, 23 Aug 2005, Ed Wilts wrote:
> 
> > Another possibility is that somebody outside of your organization forged
> > their From: addresses to be from your domain.  They then spam like crazy
> > and all the bounce messages go to you.  Somebody did that to us and it's
> > not easy to recover from.  The bounce messages come from all over so you
> > can't block the senders (the sending host is likely legitimate anyway).
> > 
> That's exactly what happened to us. Somebody outside of our organization 
> forged the From: addresses and we became the victim to that. At this 
> point, it seemed that our syslog is so busy to write the maillog that it 
> becomes a heavy process. This morning around 8AM, this drives our system 
> load over 20 and the system becomes slower and slower. Now it seemed the 
> worst time is over. However, I worried with such baounced back volumes 
> increasing, our system can not afford to it finally.

I saw load averages well over 100 :-(.  We have 2 mail servers in a
round-robin configuration and they both got beaten into the ground.

> All the messages come to random usernames. A lot don't exist.

That makes it really, really hard to stop.  Source addresses all over
the place - typically legitimate - doing the right thing which is to
bounce messages that are undeliverable.  Unfortunately the bounce
messages are going to you although you didn't send them.
> 
> We cannot afford the system down. So really hope someone here 
> has the solution for this.

There is no easy solution except to buy another server capacity to
handle the load (and buying more servers isn't really easy either!).

One other option is to configure sendmail to only accept mail to certain
addresses and discard, not bounce, the rest.  This requires a lot of
maintenance with the access database if you have a lot of users coming
and going.

Long term, I see something like the authenticated sender mechanisms
helping here - these will restrict messages from you to only come from
your hosts.  I don't think most of this stuff is working well in
production yet though (SPF, et al).

        .../Ed


> > > Jessica Zhu wrote:
> > > 
> > > >Hi,
> > > >
> > > >It looks like we are experiencing the mail attack now.
> > > >
> > > >In our maillog, we have a lot of User Unknown message like the following.
> > > >
> > > >Aug 23 11:52:25  s1 sendmail[2110]: j7NFqPL02110:  
> > > ><Oscard at mathforum.org>... User unknown
> > > >Aug 23 11:52:25 s1 sendmail[2110]: j7NFqPL02110: from=<>, 
> > > >size=17601, class=0, nrcpts=0, proto=ESMTP, daemon=MTA,  
> > > >relay=mail.vis-inc.net [66.77.28.202]
> > > >
> > > >It looks like that all the from is <>, does anyone have the way to fight 
> > > >against it. 
> > > >
> > > >Jessica

-- 
Ed Wilts, RHCE
Mounds View, MN, USA
mailto:ewilts at ewilts.org
Member #1, Red Hat Community Ambassador Program

More information about the redhat-list mailing list