Security Incidents mailing list archives
Re: SMTP server (How can I find out the real source of an attack)
From: "Pavel Kankovsky" <peak () argo troja mff cuni cz>
Date: Sun, 15 Jul 2001 11:42:00 +0200 (MET DST)
On Thu, 12 Jul 2001 Valdis.Kletnieks () vt edu wrote:
I've seen multiple systems that don't understand the meaning of "required delay before retry" as per RFC1123 - systems that in their normally broken state will retry over and over and over. I can sympathize with your 7x/sec - I once got hit by something that retried 10x/sec for about 2 days before I finally found the owner and chastised them....
I have seen a system failing to understand both the meaning of "required delay before retry" and the meaning of standard SMTP reply codes recently! The receiving MTA failed to accept some messages with 5xx after DATA, yet the system in question kept those messages in its queue and tried to send them again and again. It was MS Exchange (surprise) behind some unidentified kind of proxy (*). Fortunately, the rate was "only" 2 retries every 30 seconds (1 retry per 1 queued message) for cca 20 hours until it was stopped by a human intervention. I see a trend: Yesterday, the Internet was a happy place free of DoS attacks. Today, we suffer from a relatively small number of intentional DoS attack. Tomorrow, the whole Internet will collapse under a massive wave of accidental DoS attacks caused by braindead software written and configured by ignorant people. :P (*) As far as I remember, the proxy said something like "220-server.dns.name Connection Established\r\n220 ESMTP\r\n" when an SMTP connection was open to it and something including the client's DNS name when the connection was closed. I'd be grateful if anyone could identify that piece of software and tell me. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- SMTP server (How can I find out the real source of an attack) MrG (Jul 12)
- Re: SMTP server (How can I find out the real source of an attack) Valdis . Kletnieks (Jul 13)
- Re: SMTP server (How can I find out the real source of an attack) Pavel Kankovsky (Jul 16)
- Re: SMTP server (How can I find out the real source of an attack Nick FitzGerald (Jul 17)
- Re: SMTP server (How can I find out the real source of an attack) Pavel Kankovsky (Jul 16)
- RE: SMTP server (How can I find out the real source of an attack) Mike Batchelor (Jul 13)
- Re: SMTP server (How can I find out the real source of an attack) kath (Jul 13)
- Re: SMTP server (How can I find out the real source of an attack) Mike Lewinski (Jul 16)
- <Possible follow-ups>
- RE: SMTP server (How can I find out the real source of an attack) Dean Cunningham (Jul 13)
- Re: SMTP server (How can I find out the real source of an attack) Valdis . Kletnieks (Jul 13)