-- more on -- so what will we do to avoid another mass attack on the "net"

[Dave Farber <dave () farber net>]

> Date: Sat, 23 Aug 2003 18:38:49 -0700
> From: Todd Meister <todd () lmi net>
> Subject: Re: [IP] so what will we do to avoid another mass attack on the "net"
> Sender: drtboi () bitslinger net
> To: dave () farber net
>
>
> Dave Farber writes:
> >...just what will we do to avoid the chaos that the
> >next one and the next next one will generate.
>
> I haven't seen an instance of the worm in my mailbox since Thursday.  I am an
> admin at a small ISP, and though the other admin and I share approximately 
> the
> same level of skills, they don't match up exactly.  For instance, I am much
> more comfortable reaching into the guts of our sendmail system and 
> rearranging
> things in our config files.  I mention this because I was out on vacation
> when all this started, and didn't really get back to work until Thursday
> morning.
>
> When I got back, I had hundreds of copies of the worm sitting in my mailbox.
> Thursday morning, our mail servers started choking under the strain of all 
> the
> worms coming through, as they had choked the previous two days, only worse.
> The worm started causing secondary outages (pop3, for instance), and the 
> number
> of processes on our mail servers (which also perform other tasks) was coming
> dangerously close to crashing them.  In desperation, as the other admin
> grepped and destroyed worms within the mail queue, I added a very simple
> rule to our sendmail config file, one suggested by a member of the spam-l
> list.  The rule simply doesn't allow mail clients who connect with a single
> token EHLO/HELO to send mail.  Because of the way most windows mail clients
> work, we couldn't use this on our outgoing, customer-use SMTP servers, but
> we use it on all our MX and customer MX boxes.  Only a very small portion of
> actual mail servers in use on the internet are broken to the point that they
> send single token EHLO/HELOs, but this one rule completely stopped the
> Sobig flood.
>
> We spent the rest of the day draining the backup mail queue until our servers
> overloaded again, stopping sendmail, then starting over.  Several hours 
> later,
> things were back to just slightly busier than normal. Slightly busier because
> our mail server was busily rejecting Sobig connection attempts.
>
> Right now, we're blocking about 20-30% of all incoming messages through this
> ruleset.  Of course, some of these are from poorly-written spam bulkmailers,
> too, but like I said, I haven't seen a single worm in my inbox since I
> implemented this rule on Thursday, and I was getting well over 100/day the
> previous two days.
>
> Obviously, this is a temporary fix.  Sobig could be very easily rewritten to
> give a proper HELO.  And blocking bad HELOs is considered poor conduct, since
> so many old, misconfigured, or windows-based mail clients use them.  But 
> maybe
> if the larger, less standards-interested software companies would start to
> work at playing better with the rest of the internet, and adhering to the
> standards developed by those older and wiser, these minor internet
> catastrophies could be avoided.  I mean, from what I understand, part of the
> way this worm was able to spread so quickly was Microsoft's distaste for
> following best practices in regards to email attachments.
>
> And if these companies continue to think with their marketing departments,
> perhaps all those affected by them need to take at least temporary action, 
> such
> as our solution to the worm, or perhaps defanging all incoming attachments.
>
> -Todd

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/