On Mon, 17 Feb 2003, Transistor Sister wrote:
> We are currently experiencing a DoS attack against our mail relays.
> The attack was first noticed on Sunday morning EST when our mail queues
> began to fill. Initially, the attack came from roughly 100 or so hosts
> sending varied spam to nonexistant users at our domain, which could not be
> bounced back to the originating host. The nature of the messages are so
> varied that they may have been taken from a spam archive somewhere.
>
> We counted well over 70 thousand messages spread over our 4 relays from
> these hosts, some queues large enough to take the relay down. We began
> filtering to get some of this under control, only to have it migrate to a
> new set of hosts and increasing in intensity tonight at about 6PM EST. We
> now have over 300 unique IPs blocked at the router. I am not sure whether
> anyone else is seeing this, and although I did find a couple of related
> issues from users on the spamcop list from November of last year, spam
> only seems to be the means by which the DoS is accomplished. I wanted to
> bring this out in the event that someone else may have seen this type of
> attack. If so, any additional information would be valuable.
Pardon me for noting that your mailserver seems to be broken.
If a message is undeliverable it will be bounced BUT if the bounce message
can not be delivered it will be discarded immediatly to prevent double
bounce loops.
See also RFC 2821 section 4.5.5
Hugo.
--
All email sent to me is bound to the rules described on my homepage.
hvdkooijat_private http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of sysadmins,
for they are subtle and quick to anger.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Feb 18 2003 - 10:56:23 PST