Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Email attack

From: "Greg A. Woods" <woods () weird com>
Date: Mon, 5 Feb 2001 13:41:11 -0500
[ On Monday, February 5, 2001 at 12:33:15 (-0500), Kee Hinckley wrote: ]

Subject: Email attack

I assume this is specific to somewhere.com--we seem to attract this
kind of thing.

2001-02-01
We were under email attack (a message a second) addressed to
somebody () somewhere com (a non-existent address).  The attack went on
for several hours until I finally blocked the two sending machines at
my router.


This may not have been an "attack" per se.

Some mailers (and I use that term very lightly because I'm intending to
include all spam-ware in its definition) are extremely broken and will
continue to try to deliver to a destination despite receiving immediate
5xx SMTP responses that "MUST" always cause an immediate bounce.  I've
received hundreds of connections per minute from even the likes of
Netscape's mail server (though an ancient version of Apple's mailserver
for MacOS was the most broken I ever encountered as it didn't even back
down after an hour or so and then wait for another queue run -- it just
kept spewing!  Luckly that bug's been fixed in newer versions).  Lsoft's
NT mailer is the most recent culprit for disobeying SMTP response codes
and unfortunately it's author will listen to neither logic, insults, nor
threats!  :-)

I can't reach the first machine you mentioned at the moment so perhaps
whatever's wrong with it is being addressed (or it's crashed! :-)....

The second machine answers with responses that don't give me quite
enough information to identify it (and clearly show that it's already in
violation of RFC-821 right from the first greeting it sends), and given
what it does do I wouldn't be at all surprised that it could be
responsible for the connection "attack" you witnessed.  Here's what I
see:

        $ telnet 193.219.211.9 25
        Trying 193.219.211.9...
        Connected to mx.nkm.lt.
        Escape character is '^]'.
        220  ESMTP
        HELP
        214 try reading large books about smtp
        DEBUG
        502 I don't know such command... and I do not care.
        VERB
        502 I don't know such command... and I do not care.
        RCPT TO:<postmaster>
        503 MAIL first (#5.5.1)
        HELO foo
        250
        RCPT TO:<postmaster>
        503 MAIL first (#5.5.1)
        MAIL FROM:<>
        250 yeah rulez
        RCPT TO:<postmaster>
        250 cool, I like it.
        quit
        221
        Connection closed by foreign host.

--
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods () acm org>      <robohack!woods>
Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>
Previous By Date Next
Previous By Thread Next

Current thread: