|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Vivek Khera (khera
kcilink.com)Date: Wed May 01 2002 - 11:51:32 CDT
Executive summary:
Appending myorigin to SMTP sender address in logs threw me off the
trail of how to block an apparent mailbomb attack.
Long story:
Since yesterday, I've been mail-bombed by what *seems* to be some
Checkpoint Firewall-1 software going haywire reporting a licence
violation. Unfortunately, this violation notice comes in at about one
every other minute, sometimes more. The people I spoke to at
checkpoint are not sure if their software does this email
notification, but are looking into it.
My first trick was to cut off the IP of the offending source at the
firewall, assuming some poor dolt accidentally mistyped my mail
server's IP as his own. Then I got another site doing the same, so
blocked their IP as well. I guess you can see where this is going:
today I had no fewer than 5 servers doing this to me.
The headers of one of the messages looks like this:
Return-Path: <SYSTEMm1e.net>
Delivered-To: kherakcilink.com
Received: from w01.m1e.net (w01.m1e.net [206.112.95.5])
by yertle.kciLink.com (Postfix) with ESMTP id 734D52178A
for <root+mmkcilink.com>; Tue, 30 Apr 2002 18:42:38 -0400 (EDT)
Received: from itd-syd-fw.it.alstom.com.au (net3157-2.gw.connect.com.au [203.63.127.241])
by w01.m1e.net (Postfix) with SMTP id E59AD3629B
for <root>; Tue, 30 Apr 2002 18:42:36 -0400 (EDT)
Message-Id: <20020430224236.E59AD3629Bw01.m1e.net>
From: SYSTEMm1e.net
To: undisclosed-recipients: ;
Subject: Alert
Date: Tue, 30 Apr 2002 18:42:36 -0400 (EDT)
Here's the log entries for this:
Apr 30 18:42:36 w01 postfix/smtpd[37605]: E59AD3629B: client=net3157-2.gw.connect.com.au[203.63.127.241]
Apr 30 18:42:38 w01 postfix/cleanup[41239]: E59AD3629B: message-id=<20020430224236.E59AD3629Bw01.m1e.net>
Apr 30 18:42:38 w01 postfix/nqmgr[15979]: E59AD3629B: from=<SYSTEMm1e.net>, size=931, nrcpt=1 (queue active)
Apr 30 18:42:38 w01 postfix/smtp[54481]: E59AD3629B: to=<root+mmkcilink.com>, relay=yertle.kcilink.com[216.194.193.105], delay=2, status=sent (250 Ok: queued as 734D52178A)
"root+mmkcilink.com" is the expansion for "rootm1e.net" in
a virtual table. myorigin is m1e.net, and all mail is handled via the
virtual table since no real users exist on this box. Note that the
original Received line says the message was for <root> so this is
expected.
Note also that the from=<SYSTEMm1e.net> in the logs. This is
misleading, because as we'll see the real FROM address is "SYSTEM".
This is where I went astray...
To block this, I set up smtp_recipient_restrictions with
check_sender_access to a file that rejects "SYSTEMm1e.net". However,
this doesn't match the real sender.
So, I added reject_unknown_sender_domain and poof! the messages
started to get blocked:
reject: RCPT from net3157-2.gw.connect.com.au[203.63.127.241]: 554
<SYSTEM>: Sender address rejected: Access denied; from=<SYSTEM>
to=<root>
Curiously, I can't reject this message on sender_access of "SYSTEM"
since either.
This box has practically no spam trapping for business reasons, so I'd
like to avoid having such restrictions, but in this case I just have
to do it.
So my question/complaint is: should the logs record the unaltered
sender/recipient? I think it would be useful, but then it is also
useful the way it is currently, too.
Also, is anyone else seeing this type of thing or am I just the lucky
one?
-- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Vivek Khera, Ph.D. Khera Communications, Inc. Internet: khera
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]