Security Basics mailing list archives

Re: SMTP DDoS

From: "Tomas Wolf" <tomas () skip cz>
Date: Mon, 11 Aug 2003 23:29:42 +0200

Hello,

 I would look for patterns. I'm sorry that I don't have time right now (i have to move over the ocean in a month), but 
take several spams and look into the header... And look for the last "relly-to:" - sometimes it has an IP of the 
spammer. Whois that IP, dig that IP too (and maybe ping or nmap if ICMP are filtered)... See who is the first relaying 
SMTP and also look for patherns in regular e-mails.

 After you are done, you might find that spam comes through strange routes and that these routes are destinguishable 
from "normal" e-mail, so one can apply "pre-filter" on a router or firewall, where these e-mails will be dropped.

 And the last instance is to work with the networks that are involved before it gets to yours... ISPs etc.

 Many of the spamms are originated from Holland and Italy (at least most of the ones I get).

 Maybe setting a "hard route" through your ISP in the same SMTP domain would be also possible...

 I hope this was of any help...

 Good luck -- Tomas

Hi everyone,

For the past 10 days, our mail exchange server has
been getting flooded with emails. It appears that an
attacker is sending out tons of spam through various
open relays and using our address
(sales () mycompany com) in the return path. so
essentially, all bounced emails are coming back to our
mail server - we're seeing about 30,000 NDRs per day.
I am using filters to delete the incoming email, but
does anyone else have any other ideas on how to get
this stopped? Since the NDRs are coming from
legitimate sources, checking for open relays wont do
me any good.

Help!!!

Kip.









__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

SMTP DDoS Kip Sr. (Aug 11)
- Re: SMTP DDoS Karma (Aug 12)
- Re: SMTP DDoS stephane nasdrovisky (Aug 13)
- Re: SMTP DDoS chort (Aug 14)
- <Possible follow-ups>
- Re: SMTP DDoS Tomas Wolf (Aug 11)