Rodolfo Alcazar Portillo wrote:
Hello. Since monday, our mailserver (FC5), behind a firewall, is
suffering a heavy DoS mail attack. We have a user account,
amanda.davila(a)padep.org.bo and it is receiving millions of emails from
very different sites of the planet. Since now, my only action was
deleting the account from /etc/password, and the traffic permits
working. We suspect a virus attack...
What else can we do? We would appreciate any help with this issue. Here,
a 20 seconds log by 07:15 GMT-4 (too early, many pcs off).
I use postfix; I can do this:
[root(a)mail.js.id.au sysconfig]# tail /etc/postfix/header_checks
/^Received.*UNITED.CO.UK/ REJECT No thanks
/^Received.*HAPPYGROUP.CO.UK/ REJECT No thanks
/^Received:.*ceres.concept.net.nz/ REJECT Bloody twits
/^Received:.*dizinc.com/ REJECT No thanks
/CentOS-announce Digest/ REJECT I don't want these
/yourshopineu/ REJECT Bloody spammer
Those are Perl regular expressions.
One can enable the checks thus:
header_checks = pcre:/etc/postfix/header_checks
body_checks = pcre:/etc/postfix/body_checks
Now, if you're not using postfix you may be able to do something similar....
That rejects the email about as fast as you can, you're rejecting it
during the connexion.
Those will be logged. I'd then develop a script to munge the messages to
extract the remote IP address and generate iptables rules to block
entire /24 network addresses containing the offenders.
I would drop, not reject the connexions.
You need also to work with your IAP who, presumably, has more bandwidth
than you, and can defend more clients from the remote attackers.
Probably you should also involve your relevant law enforcement agency.
# tethereal |grep RCPT
0.030421 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
0.084245 193.195.46.98 -> 192.168.1.15 SMTP Command: RCPT
To:<amanda.davila@padep.org.bo>
0.813207 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
1.196831 221.246.173.133 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
1.214975 221.246.173.133 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
1.330348 203.162.4.185 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
1.633672 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
1.999373 64.22.97.151 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
2.674852 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
2.783758 212.241.250.110 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
3.420356 71.86.28.162 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
3.785264 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
4.742188 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
5.525666 81.80.63.187 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
5.617303 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
5.854842 71.86.28.162 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
5.863718 70.103.68.218 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
5.868905 70.103.68.218 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
6.096777 59.124.4.190 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
6.436249 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
6.466815 66.249.92.172 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
7.262385 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
7.397907 71.86.28.162 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
10.592647 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
10.594863 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
10.646376 81.72.107.178 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
11.262748 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
11.383742 203.162.4.185 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
11.538739 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
11.568291 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
11.988369 203.190.60.202 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
12.501307 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
12.528634 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
12.807326 220.152.32.164 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
13.115271 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
13.453285 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
13.474763 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
14.099809 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
14.393268 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
14.429214 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
15.034781 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
15.053775 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
15.337869 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
15.378731 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
15.868339 189.32.131.187 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
16.258275 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
16.312235 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
16.633300 210.162.25.47 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
17.149183 210.147.8.9 -> 192.168.1.15 SMTP Command: RCPT
To:<amanda.davila@padep.org.bo>
17.225328 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
17.237639 189.32.131.187 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
17.272639 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
17.673762 84.12.48.115 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
17.698118 84.12.48.115 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
18.182747 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
18.206657 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
18.422710 141.156.107.252 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
18.433819 141.156.107.252 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
18.588780 189.32.131.187 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
18.810259 210.162.25.47 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
19.128838 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
19.167259 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT
TO:<amanda.davila@padep.org.bo>
Here you can find a more detailed log:
http://www.padep.org.bo/log20080325/
Thanks, again...
----------------------------------------------
Rodolfo Alcazar - rodolfo.alcazar(a)padep.org.bo
otbits.blogspot.com /
counter.li.org: #367962
----------------------------------------------
"Träume nicht dein Leben, lebe deinen Traum."
- Unbekannter Autor
--
Cheers
John
-- spambait
1aaaaaaa(a)coco.merseine.nu Z1aaaaaaa(a)coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)