[OT] HELP!!! mail attack
John Summerfield
debian at herakles.homelinux.org
Wed Mar 26 14:59:42 UTC 2008
Rodolfo Alcazar Portillo wrote:
> Hello. Since monday, our mailserver (FC5), behind a firewall, is
> suffering a heavy DoS mail attack. We have a user account,
> amanda.davila at padep.org.bo and it is receiving millions of emails from
> very different sites of the planet. Since now, my only action was
> deleting the account from /etc/password, and the traffic permits
> working. We suspect a virus attack...
>
> What else can we do? We would appreciate any help with this issue. Here,
> a 20 seconds log by 07:15 GMT-4 (too early, many pcs off).
I use postfix; I can do this:
[root at mail.js.id.au sysconfig]# tail /etc/postfix/header_checks
/^Received.*UNITED.CO.UK/ REJECT No thanks
/^Received.*HAPPYGROUP.CO.UK/ REJECT No thanks
/^Received:.*ceres.concept.net.nz/ REJECT Bloody twits
/^Received:.*dizinc.com/ REJECT No thanks
/CentOS-announce Digest/ REJECT I don't want these
/yourshopineu/ REJECT Bloody spammer
Those are Perl regular expressions.
One can enable the checks thus:
header_checks = pcre:/etc/postfix/header_checks
body_checks = pcre:/etc/postfix/body_checks
Now, if you're not using postfix you may be able to do something similar....
That rejects the email about as fast as you can, you're rejecting it
during the connexion.
Those will be logged. I'd then develop a script to munge the messages to
extract the remote IP address and generate iptables rules to block
entire /24 network addresses containing the offenders.
I would drop, not reject the connexions.
You need also to work with your IAP who, presumably, has more bandwidth
than you, and can defend more clients from the remote attackers.
Probably you should also involve your relevant law enforcement agency.
>
> # tethereal |grep RCPT
>
> 0.030421 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 0.084245 193.195.46.98 -> 192.168.1.15 SMTP Command: RCPT To:<amanda.davila at padep.org.bo>
> 0.813207 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 1.196831 221.246.173.133 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 1.214975 221.246.173.133 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 1.330348 203.162.4.185 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 1.633672 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 1.999373 64.22.97.151 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 2.674852 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 2.783758 212.241.250.110 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 3.420356 71.86.28.162 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 3.785264 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 4.742188 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 5.525666 81.80.63.187 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 5.617303 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 5.854842 71.86.28.162 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 5.863718 70.103.68.218 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 5.868905 70.103.68.218 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 6.096777 59.124.4.190 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 6.436249 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 6.466815 66.249.92.172 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 7.262385 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 7.397907 71.86.28.162 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 10.592647 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 10.594863 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 10.646376 81.72.107.178 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 11.262748 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 11.383742 203.162.4.185 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 11.538739 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 11.568291 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 11.988369 203.190.60.202 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 12.501307 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 12.528634 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 12.807326 220.152.32.164 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 13.115271 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 13.453285 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 13.474763 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 14.099809 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 14.393268 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 14.429214 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 15.034781 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 15.053775 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 15.337869 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 15.378731 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 15.868339 189.32.131.187 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 16.258275 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 16.312235 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 16.633300 210.162.25.47 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 17.149183 210.147.8.9 -> 192.168.1.15 SMTP Command: RCPT To:<amanda.davila at padep.org.bo>
> 17.225328 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 17.237639 189.32.131.187 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 17.272639 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 17.673762 84.12.48.115 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 17.698118 84.12.48.115 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 18.182747 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 18.206657 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 18.422710 141.156.107.252 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 18.433819 141.156.107.252 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 18.588780 189.32.131.187 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 18.810259 210.162.25.47 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 19.128838 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
> 19.167259 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila at padep.org.bo>
>
> Here you can find a more detailed log:
> http://www.padep.org.bo/log20080325/
>
> Thanks, again...
> ----------------------------------------------
> Rodolfo Alcazar - rodolfo.alcazar at padep.org.bo
> otbits.blogspot.com / counter.li.org: #367962
> ----------------------------------------------
> "Träume nicht dein Leben, lebe deinen Traum."
> - Unbekannter Autor
>
>
--
Cheers
John
-- spambait
1aaaaaaa at coco.merseine.nu Z1aaaaaaa at coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)
More information about the users
mailing list