-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, Jun 20, 2004 at 06:06:31PM -0400, Jayson Smith wrote: > First, can you shut down the mailserver for a moment to try to make them > think you've cought up to them? Ok, let me expand a bit. I ended up allowing mail to all non-existent addresses at the domain in question, and simply dumped them into /dev/null. I did this, since the address attackers and spammers were taking advantage of the backup MX, sending their junk through it, which it would then send to me, and which I would naturally reject as invalid users. The end result was that the undeliverable mail would get stuck in the backup MX machine's queue, so I let all users through to take the load off of the backup MX's queue, while not filling up my own. To get back to your question, I don't want to just shut the mail server down, since that would effect all other mail deliveries. However, I did disable the excepting of mail for invalid users, so the rcpt To command got back a 553 response. I've enabled it again after a couple of hours, and the flood of this stuff continued as soon as I allowed mail for non-existing accounts through. Naturally, I took some more action, and starting piping the stuff to a file, rather then to /dev/null. The attack has stopped now, and the resulting file is 12 megs in size. it seems to contain the same From, and Subject fields for all messages. Also, the body is the same, and says "surprise". Finally,, there is a surprise.exe attachment, which makes me think that some poor sap didn't know better, then to secure their box against viruses. Still, that's definitely no excuse to forgive and forget. > How about somehow blocking their ip? Or, > if you can anticipate an address they will soon use, quick like a bunny set > up a user under that name, then that user can report it to Spamcop. While I could block the IP, it looks like this is a dynamic one, so that wouldn't have helped for long, though the same IP was used throughout the attack as far as I could tell. I suppose I'll have to implement a dynamic IP black list. That's something I didn't want to do, given that people with dynamic IP address to their own SMTP, and send legitimate mail, but ... Also, this wasn't a dictionary attack in the strict sense, since the addresses were either gibberish, or were German words (a German ISP was where this IP traced back to). Also, while I mentioned that previous such attacks came through the backup MX, this one was connecting directly to my host. Greg - -- Free domains: http://www.eu.org/ or mail dns-manager at EU.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFA1iZS7s9z/XlyUyARAgv+AJ4iuGOl1C6LoTTbGAMAR//ICTpTIgCcDjs5 1Gcbz70rH1IiCX6sLWBA+Bk= =23i3 -----END PGP SIGNATURE-----
