And all of those ideas are excellent that were offered as well. http://www.covenantdata.com ...Where data becomes information! Robert Williams Programmer / Web Developer / Network Administrator Covenant Data Systems, Inc. http://www.covenantdata.com rwilliams@xxxxxxxxxxxxxxxx -----Original Message----- From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Jessica Zhu Sent: Tuesday, August 23, 2005 12:28 PM To: General Red Hat Linux discussion list Subject: Re: Mail Attack Hi Ed, On Tue, 23 Aug 2005, Ed Wilts wrote: > On Tue, Aug 23, 2005 at 10:09:02PM +0600, Aroop Maliakkal wrote: > > The <> messages are bounced messages. Someone may be spammed from your > > server and those address falied is bouncing back now. Make sure your > > server is secure and no one abusing it. Check for malicious scripts ...( > > expecially in /tmp..)... > > Have a nice hunting:-) > /tmp was checked. Nothing turned out. Part of the bounced back messages which included detailed header for original mail checked, till now no one is really from us. > Another possibility is that somebody outside of your organization forged > their From: addresses to be from your domain. They then spam like crazy > and all the bounce messages go to you. Somebody did that to us and it's > not easy to recover from. The bounce messages come from all over so you > can't block the senders (the sending host is likely legitimate anyway). > That's exactly what happened to us. Somebody outside of our organization forged the From: addresses and we became the victim to that. At this point, it seemed that our syslog is so busy to write the maillog that it becomes a heavy process. This morning around 8AM, this drives our system load over 20 and the system becomes slower and slower. Now it seemed the worst time is over. However, I worried with such baounced back volumes increasing, our system can not afford to it finally. > In our case, it happened to be a inactive domain. We just directed that > domain to a black hole and the firewalls dropped the smtp messages. If > the domain is active, there's not a lot you can do except ride out the > storm. Are the messages coming to random usernames or a handful of > specific ones? If they're specific, you can add mail access rules to All the messages come to random usernames. A lot don't exist. > sendmail to discard those and that will help the flood a bit. If > they're random, you can't block by source and you can't block by > destination. Not good... > > No penalty is severe enough for a spammer. Absolutely. We cannot afford the system down. So really hope someone here has the solution for this. Jessica > > > Jessica Zhu wrote: > > > > >Hi, > > > > > >It looks like we are experiencing the mail attack now. > > > > > >In our maillog, we have a lot of User Unknown message like the following. > > > > > >Aug 23 11:52:25 s1 sendmail[2110]: j7NFqPL02110: > > ><Oscard@xxxxxxxxxxxxx>... User unknown > > >Aug 23 11:52:25 s1 sendmail[2110]: j7NFqPL02110: from=<>, > > >size=17601, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, > > >relay=mail.vis-inc.net [66.77.28.202] > > > > > >It looks like that all the from is <>, does anyone have the way to fight > > >against it. > > > > > >Jessica > > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
