OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Distributed mailbombing on one address

From: Frank Bonnet (f.bonnetesiee.fr)
Date: Fri Mar 28 2008 - 10:14:11 CDT


Jorey Bump wrote:
> Frank Bonnet wrote, at 03/28/2008 10:17 AM:
>
>> The mailbox of a user here is literally mailbombed ( ~ 4 mails /
>> seconds )
>> I have checked into email syslog and it appears the attack seems
>> distrinuted
>> and comes from dozens of randoms servers ...
>>
>> I have setup a new account for the user but the attack still continues.
>>
>> For now I have aliased the attacked address to /dev/null but I wonder
>> what would be the most efficient (which generate the smalest load of
>> the server)
>> method to refuse/discard emails for this address ?
>
> This could be backscatter:
>
> http://www.postfix.org/BACKSCATTER_README.html
>

Thank you for this link

I think the problem would be elsewhere I've found a *lot* of references
to the qmail-send program in syslog from a growing number of servers.

I have now modified the alias and redirect all emails to this address
on another isolated machine to analyse the log without disturbing our
mailhub.

let's see where doee it come from