From: Kelvin Smith (kelvinskelhome.dyndns.org)
Date: Sat Apr 05 2008 - 15:48:33 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I had the same issue. Being mailbombed from servers all over the world
and it walked through the greylist filter as they came from valid mail
servers. Even reverse look ups on the incoming domain name etc worked,
and spamhaus and backlist servers were ineffective. This ended up being
a DOS attack, as we were receiving 100's of connections per minute
preventing normal mail to flow. In this case, you could construe this
as being targeted, as it was always to the same person. After a few
days of not settling down, I parsed the log, and had greater than 20000
different IP addressess attempting to deliver mail from Mailer Daemon
(mostly with SPAM embedded). More than could block with firewall rules
etc.

In the end, we handed off the domain to a third party to anti-virus and
SPAM before passing it though. Trend Micro performs this facility as
well as others.

This is reminescant of the "open relay" issue that plagued mail
administrators years ago. We just have to wait until everyone fixes up
the configuration of their mailservers to check recipient addresses
during the initial connection phase. (**IE Microsoft needs to make it
default behaviour**)

Wouldn't it be good if there was a place that mail administrators could
go to, that published the requirements that the mail server MUST adhere
to, ie no open relay, check recipients and block during initialiation
phase, use spamhaus or equiv. Wouldn't this then stop most of the
spammers overnight?

I know that ISP's and black lists can be quick to shut down an open
relay server. Perhaps they should add backscatter tests to their
repoituoir?

Kelvin

On Thu, 2008-04-03 at 19:21 -0500, Jim Wright wrote:
> On Apr 3, 2008, at 7:54 AM, Jorey Bump wrote:
>
> > Erwan David wrote, at 04/03/2008 06:58 AM:
> >> On Thu, Apr 03, 2008 at 12:50:59PM CEST, Frank Bonnet <f.bonnetesiee.fr
> >> > said:
> >>> In: MAIL FROM:<> SIZE=4818
> >>>
> >>> Note : the sending server is never the same, the attack is
> >>> distributed
> >>> so filtering is an utopy.
> >> DId you try greylisting ? If the sending server is never the same
> >> nothing will be transmitted, and since the message is refused before
> >> the DATA command, the message itself is not transmitted.
> >
> > This looks like backscatter caused by forged sender addresses from
> > his domain, so greylisting is unlikely to help.
>
> Ah, yes, that's certainly a possibility, and so these may well be
> legitimate (badly managed) servers sending bounces after the fact, so
> they are likely to retry. But as I said before, if these are
> generally to invalid accounts, rejecting these right off as being for
> unknown users is that needs to happen. If the accounts are actual
> live accounts, I'd say that delivering them is the right thing to do,
> as there would be no easy way to tell if these bounces are legitimate
> or not.
>
> A while back I weathered a backscatter storm like that, legitimate
> servers were sending bounces from non-existent accounts, they were all
> rejected properly. It is amazing how many systems out there are
> misconfigured, sending bounces after accepting mail...
--
Kelvin Smith <kelvinskelhome.dyndns.org>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]