Mail Attack

Jessica Zhu jessica at mathforum.org
Tue Aug 23 19:54:48 UTC 2005 

On Wed, 24 Aug 2005, Aroop Maliakkal wrote:

> Steve Phillips wrote:
> 
> > Jessica Zhu wrote:
> >
> >> That's exactly what happened to us. Somebody outside of our 
> >> organization forged the From: addresses and we became the victim to 
> >> that. At this point, it seemed that our syslog is so busy to write 
> >> the maillog that it becomes a heavy process. This morning around 8AM, 
> >> this drives our system load over 20 and the system becomes slower and 
> >> slower. Now it seemed the worst time is over. However, I worried with 
> >> such baounced back volumes increasing, our system can not afford to 
> >> it finally.
> >>
> >>
> >> All the messages come to random usernames. A lot don't exist.
> >>
> >>
> >>> sendmail to discard those and that will help the flood a bit.  If
> >>> they're random, you can't block by source and you can't block by
> >>> destination.  Not good...
> >>>
> >>> No penalty is severe enough for a spammer.

> > in syslog.conf add a - to the start of the filename like so
> >
> > mail.*<tab><tab><tab>-/var/log/maillog
> >
> > The - tells syslog not to do an fsync each message and _really_ 
> > reduces syslog load when it is busy, this will probably bring your 
> > mail server under a little more control.
> >
> > The next thing to do is examine the bounce messages and find out where 
> > this originated and ring them. If this is still ongoing and they have 
> > not terminated the spammer then add a postmaster redirect for that 
> > domain temporarily to the postmaster at unresponsive.isp.com and you will 
> > find the problem gets fixed usually within hours.
> >
> > This happened to me with an AOL user spamming using <random 
> > characters>@internet.co.nz and i was getting a few thousand messages 
> > an hour comming into my postmaster account, after being told by a 
> > monkey to "forward the spam to postmaster at aol.com sir !" and refusing 
> > to discuss the issue I forwarded the 50,000 odd boounces I had 
> > collected and added a redirect and within about a day it had stopped.
> >
> > The big trick is to find the originator. - If you need help with this 
> > them let us know and we can probably track them down for you.
> >
> Another option is (Just a thought) :- to Null route the mx record of 
> the  domain to which bounce  is coming....if it is possible give low ttl 
> value....It will take some time to get the result in effect because mx 
> will be cached by most of isps.
> 
> 
I'm afraid that I cannot do that since a lot of domain is legitimate.

Jessica

More information about the redhat-list mailing list