Re: SMTP server (How can I find out the real source of an attack)

From: Pavel Kankovsky (peakat_private)
Date: Sun Jul 15 2001 - 02:42:00 PDT

Next message: ethan preston: "Re: Security Event / Customer Reporting"

Previous message: JohnNicholsonat_private: "Re: Security Event / Customer Reporting"
In reply to: Valdis.Kletnieksat_private: "Re: SMTP server (How can I find out the real source of an attack)"
Next in thread: Nick FitzGerald: "Re: SMTP server (How can I find out the real source of an attack"
Next in thread: Mike Batchelor: "RE: SMTP server (How can I find out the real source of an attack)"
Reply: Nick FitzGerald: "Re: SMTP server (How can I find out the real source of an attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 12 Jul 2001 Valdis.Kletnieksat_private wrote:

> I've seen multiple systems that don't understand the meaning of "required
> delay before retry" as per RFC1123 - systems that in their normally broken
> state will retry over and over and over.  I can sympathize with your
> 7x/sec - I once got hit by something that retried 10x/sec for about 2 days
> before I finally found the owner and chastised them....

I have seen a system failing to understand both the meaning of "required
delay before retry" and the meaning of standard SMTP reply codes recently!
The receiving MTA failed to accept some messages with 5xx after DATA, yet
the system in question kept those messages in its queue and tried to send
them again and again. It was MS Exchange (surprise) behind some
unidentified kind of proxy (*). Fortunately, the rate was "only" 2 retries
every 30 seconds (1 retry per 1 queued message) for cca 20 hours until
it was stopped by a human intervention.

I see a trend: Yesterday, the Internet was a happy place free of DoS
attacks. Today, we suffer from a relatively small number of intentional
DoS attack. Tomorrow, the whole Internet will collapse under a massive
wave of accidental DoS attacks caused by braindead software written and
configured by ignorant people. :P

(*) As far as I remember, the proxy said something like
"220-server.dns.name Connection Established\r\n220 ESMTP\r\n" when an SMTP
connection was open to it and something including the client's DNS name
when the connection was closed. I'd be grateful if anyone could identify
that piece of software and tell me.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: ethan preston: "Re: Security Event / Customer Reporting"
Previous message: JohnNicholsonat_private: "Re: Security Event / Customer Reporting"
In reply to: Valdis.Kletnieksat_private: "Re: SMTP server (How can I find out the real source of an attack)"
Next in thread: Nick FitzGerald: "Re: SMTP server (How can I find out the real source of an attack"
Next in thread: Mike Batchelor: "RE: SMTP server (How can I find out the real source of an attack)"
Reply: Nick FitzGerald: "Re: SMTP server (How can I find out the real source of an attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 16 2001 - 11:32:49 PDT