Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

strange SMTP DoS traffic from Korea

From: Damian Menscher <menscher () uiuc edu>
Date: Fri, 5 Mar 2004 21:43:52 -0600 (CST)
I tried posting this four months ago, but the moderator blocked it due
to it not being a fast enough attack to constitute a DoS.  We were never
able to track it down, and I just firewalled it off for four months.  I
just removed the firewall, and the attack traffic came back almost
immediately.  I'd really appreciate it if anyone had ideas on what is
happening here.

Damian

---------- Forwarded message ----------
Date: Thu, 6 Nov 2003 23:55:57 -0600 (CST)
From: Damian Menscher <menscher () uiuc edu>
To: incidents () securityfocus com
Subject: strange SMTP DoS traffic from Korea

Since Oct 13 we've been seeing some rather unusual traffic from various
IPs in Korea (list below).  It was leaving logs like the following:

NOQUEUE: [203.236.96.179] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

Eventually I decided to see exactly what they were doing by running a
packet sniffer, and found they're connecting, getting the banner, saying
"HELO local", getting the "pleased to meet you...", and then saying
QUIT.  They do this about once every 3 seconds for several minutes, then
they're silent for a while.

It doesn't seem like it's a single misconfigured machine, because the
traffic comes from several machines:

 # of
attacks  Source IP
   1092 [203.236.93.102]
    858 [203.236.93.111]
   1748 [203.236.93.114]
   3834 [203.236.93.15]
     18 [203.236.93.16]
  11624 [203.236.96.153]
   2119 [203.236.96.164]
    428 [203.236.96.169]
   5077 [203.236.96.177]
   1220 [203.236.96.179]
   2940 [203.236.96.181]
   1047 [203.236.96.230]

I don't know if this is supposed to be some sort of attack, but I'm only
seeing it on one machine, not on any other machines I manage.  Has
anyone seen this elsewhere?

Do you have any recommendations, or should we just add firewall rules
for 203.236.93.0/25 and 203.236.96.128/25 (interestingly, a whois shows
they're both owned by the same organization)?

As some added information, it appears our dealings with them began when
they spammed us (something about joining an e-commerce site) on the
morning of Oct 13.  The spam they sent was spoofed to be from
thomas.adners () usps gov.  We got another spam with the same spoofed from
address from an attbi.com IP about 10 minute after the first one from
Korea.

Damian Menscher
-- 
-=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=-
-=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
-=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=-
-=#| <menscher () uiuc edu> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: