[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Edlug Archive Apr 2004
]
[edlug] Strange mail relaying DOS.
Hi,
I've been fighting a weird email DOS / JoeJob this afternoon
and I'm looking for advice in handling similar future incidents.
I've got a mail server setup which I believed to be immune
to relaying, only accepting delivery for a small list
of domains (which it then serves out via pop3/imap).
This afternoon the load on the machine jumped as the virus
scanner went into overkill processing *hundreds* of incoming
messages.
The mails all had their envelope-to set to something of
the form:
word@xxx.xxx.xxx
(ie. an email address).
The messages themselves were each unique, and had different
From and To destinations. The server accepted these messages
for no reason that I could see and immediately started out
trying to relay them to their intended destinations which
then bounced back to the machine.
So far I've killed the incoming SMTP service and I am looking
at a queue of five thousand messages waiting to be purged.
I know that foo@xxx.xxx.xxx isn't a valid email address
and I'm unsure why this was being relayed in the first place
(although I have a hazy idea that 'foo@xxx.xxx.xxx]' is valid).
I couldn't simply firewall off the injecting machine as
the messages were coming from multiple machines - more and
more as the addresses I killed off were dropped.
As an example the transactions went something like this:
HELO blah
MAIL FROM: foo@xxx.xxx.xxx <- mail servers IP
RCPT TO: foo@xxx.xxx.xxx
DATA
To: foo@xxx.xxx.xxx
From: bar@xxx.xxx.xxx
Subject: get your hot spam
...
.
The messages were queued and the bounces from hotmail
were coming back to the nonexistent user 'foo@xxx.xxx.xxx'
Steve
--
# Debian Security Audit Project
http://www.shellcode.org/Audit/
-
----------------------------------------------------------------------
You can find the EdLUG mailing list FAQ list at:
http://www.edlug.org.uk/list_faq.html