[Dshield] SMTP problem

Mark Squire msquire at lagraphico.com
Mon Oct 11 14:09:32 GMT 2004


Hi All,
I was wondering if I could get some advice.  I believe I might be the
recipient of a DDOS against a spammer.  I know that doesn't make sense,
but let me see if I can clear it up a bit.  Yesterday I noticed that our
emails were a little slow in trickling in.  Thinking this was odd, I
opened up our SMTP server, and noticed that it had over 3000 emails
(pretty unusual for us).  I tailed /var/log/maillog (I have postfix),
and noticed a lot of these errors:

connect to mail2.saveinternet.net[69.42.112.4]: Connection timed out

It didn't make any sense.  I never really got to the root cause I don't
think, but at one point I went under the assumption that we were somehow
being used to attack the above address.  The reason I came to that
conclusion is because I didn't see them try to connect to our domain at
all, but I saw a bunch of other addresses from all over the place
connecting to us, and then I saw a bunch of connections coming from us
to saveinternet.net.  So at that point I blocked all firewall access to
port 25.  Of course suddenly email stopped flowing in, but it also gave
the queues a chance to catch up.  After at least 30 minutes, all of the
legitimate email was delivered, and I opened things back up.  I read
also to set the qmgr value in master.cf to nqmgr.  I did that, and have
had some success.  The attack, if that is what it is, appears to still
be active.  Just a bit ago, I did a scan for all files containing
"saveinternet" in the "defer" directory, and quite a few results were
returned.  Here is a sample from one of the ones I opened:

<emailaddress at domain.com>:connect to
mail3.saveinternet.net[69.42.120.8]: Connection timed out

I used "emailaddress at domain.com" above to sanitize the entry somewhat.
All of these had what looks like personal email addresses.  Let me say
also that I am fairly confident it isn't a configuration error because
we have kept the same configuration for the last 6 months without any
problems, unless there was something in the config that wasn't capable
of addressing a problem like this.  Any ideas?  Has anyone had this
problem?  Is there a postfix utility (other than qmail) that might be
useful in diagnosing the problem?

Thanks,
Mark



More information about the list mailing list