Security Incidents mailing list archives
strange SMTP DoS traffic from Korea
From: Damian Menscher <menscher () uiuc edu>
Date: Fri, 5 Mar 2004 21:43:52 -0600 (CST)
I tried posting this four months ago, but the moderator blocked it due to it not being a fast enough attack to constitute a DoS. We were never able to track it down, and I just firewalled it off for four months. I just removed the firewall, and the attack traffic came back almost immediately. I'd really appreciate it if anyone had ideas on what is happening here. Damian ---------- Forwarded message ---------- Date: Thu, 6 Nov 2003 23:55:57 -0600 (CST) From: Damian Menscher <menscher () uiuc edu> To: incidents () securityfocus com Subject: strange SMTP DoS traffic from Korea Since Oct 13 we've been seeing some rather unusual traffic from various IPs in Korea (list below). It was leaving logs like the following: NOQUEUE: [203.236.96.179] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Eventually I decided to see exactly what they were doing by running a packet sniffer, and found they're connecting, getting the banner, saying "HELO local", getting the "pleased to meet you...", and then saying QUIT. They do this about once every 3 seconds for several minutes, then they're silent for a while. It doesn't seem like it's a single misconfigured machine, because the traffic comes from several machines: # of attacks Source IP 1092 [203.236.93.102] 858 [203.236.93.111] 1748 [203.236.93.114] 3834 [203.236.93.15] 18 [203.236.93.16] 11624 [203.236.96.153] 2119 [203.236.96.164] 428 [203.236.96.169] 5077 [203.236.96.177] 1220 [203.236.96.179] 2940 [203.236.96.181] 1047 [203.236.96.230] I don't know if this is supposed to be some sort of attack, but I'm only seeing it on one machine, not on any other machines I manage. Has anyone seen this elsewhere? Do you have any recommendations, or should we just add firewall rules for 203.236.93.0/25 and 203.236.96.128/25 (interestingly, a whois shows they're both owned by the same organization)? As some added information, it appears our dealings with them began when they spammed us (something about joining an e-commerce site) on the morning of Oct 13. The spam they sent was spoofed to be from thomas.adners () usps gov. We got another spam with the same spoofed from address from an attbi.com IP about 10 minute after the first one from Korea. Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <menscher () uiuc edu> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301 ----------------------------------------------------------------------------
Current thread:
- strange SMTP DoS traffic from Korea Damian Menscher (Mar 07)