Re: Qmail attack
On Tue, Apr 03, 2001 at 06:00:03PM -0600, Keary Suska wrote: I had a similar experience, but it wasn't actually a mail bomb, it was a SPAM attempt. If a spammer thinks that your domain may be a free email Yeah, I've had that happen a couple of times to one of my domains. Not sure how they decided that they should try 15,000 addresses within that domain. I finally had to add the whole domain to badrcptto, because the messages were being sent from a few hundred relays. Probably time to enable rss on the main SMTP servers, instead of splitting messages off when I deliver them. RSS in particular has never blocked a legit message so far. I'm just waiting for it to happen again on a message I can track down -- the last one only included some generic 800 number. You see, Colorado has this law that apparently allows me to get $20 to $40 per copy of the message... Sean -- "All I'm saying is that when I'm around you I find myself showing off, which is the idiots version of being interesting." -- _LA_Story_ Sean Reifschneider, Inimitably Superfluous [EMAIL PROTECTED] tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python
Re: Qmail attack
Could you tell me more about RSS ? On Tue, Apr 03, 2001 at 06:00:03PM -0600, Keary Suska wrote: I had a similar experience, but it wasn't actually a mail bomb, it was a SPAM attempt. If a spammer thinks that your domain may be a free email Yeah, I've had that happen a couple of times to one of my domains. Not sure how they decided that they should try 15,000 addresses within that domain. I finally had to add the whole domain to badrcptto, because the messages were being sent from a few hundred relays. Probably time to enable rss on the main SMTP servers, instead of splitting messages off when I deliver them. RSS in particular has never blocked a legit message so far. I'm just waiting for it to happen again on a message I can track down -- the last one only included some generic 800 number. You see, Colorado has this law that apparently allows me to get $20 to $40 per copy of the message... Sean -- "All I'm saying is that when I'm around you I find myself showing off, which is the idiots version of being interesting." -- _LA_Story_ Sean Reifschneider, Inimitably Superfluous [EMAIL PROTECTED] tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python
Re: Qmail attack
On Wed, Apr 04, 2001 at 12:30:48PM -, Renato wrote: Could you tell me more about RSS ? http://mail-abuse.org/rss/ Sean -- You know you're in Canada when: A radio advertisement comes on advertising "Buy a case of beer, get a free touque." Sean Reifschneider, Inimitably Superfluous [EMAIL PROTECTED] tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python
Re: Qmail attack
Renato wrote: Well, naturally somebody can connect to port 25 and send this mail with these headers. But the attacker used a script and sent the same message thousands of time !!! My queue grow to more than 10.000 messages in minutes !! What can I do to avoid this type of attack ? Thanks Renato - Brazil. Are you using inetd or xinetd? tcpwrapper or ucspi-tcp? -- Keith Network Engineer Triton Technologies, Inc. 1-800-837-4253
Re: Qmail attack
I'm using tcpserver ( ucspi-tcp ). ( basically Bruce's RPM for RedHat ). Renato wrote: Well, naturally somebody can connect to port 25 and send this mail with these headers. But the attacker used a script and sent the same message thousands of time !!! My queue grow to more than 10.000 messages in minutes !! What can I do to avoid this type of attack ? Thanks Renato - Brazil. Are you using inetd or xinetd? tcpwrapper or ucspi-tcp? -- Keith Network Engineer Triton Technologies, Inc. 1-800-837-4253
Re: Qmail attack
I had a similar experience, but it wasn't actually a mail bomb, it was a SPAM attempt. If a spammer thinks that your domain may be a free email service, they will attempt delivery with an apparently random list of users, which I believe is extracted from other free email services. You could try tarpitting, but that only works with multiple RCPT TO invocations. Even limiting the number of concurrent connections won't necessarily help, since a lot of mail can be delivered in a fairly short amount of time with only 10 incoming connections. And you could also facilitate a self-made DOS attack if the remote SMTP client is persistent. -K From: "Renato" [EMAIL PROTECTED] Date: 3 Apr 2001 22:47:27 - To: [EMAIL PROTECTED] Subject: Qmail attack Hi all, I was victim of an attack today. Somebody connected to my smtp server and sent multiple messages to same address. The headers look like: From: "User" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Well, naturally somebody can connect to port 25 and send this mail with these headers. But the attacker used a script and sent the same message thousands of time !!! My queue grow to more than 10.000 messages in minutes !! What can I do to avoid this type of attack ? Thanks Renato - Brazil.