Hello list, We are currently experiencing a DoS attack against our mail relays. The attack was first noticed on Sunday morning EST when our mail queues began to fill. Initially, the attack came from roughly 100 or so hosts sending varied spam to nonexistant users at our domain, which could not be bounced back to the originating host. The nature of the messages are so varied that they may have been taken from a spam archive somewhere. We counted well over 70 thousand messages spread over our 4 relays from these hosts, some queues large enough to take the relay down. We began filtering to get some of this under control, only to have it migrate to a new set of hosts and increasing in intensity tonight at about 6PM EST. We now have over 300 unique IPs blocked at the router. I am not sure whether anyone else is seeing this, and although I did find a couple of related issues from users on the spamcop list from November of last year, spam only seems to be the means by which the DoS is accomplished. I wanted to bring this out in the event that someone else may have seen this type of attack. If so, any additional information would be valuable. Regards, Sarah ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Feb 17 2003 - 18:27:22 PST