[Dshield] SMTP problem

Richard Golodner RGolodner at Aetea.com
Mon Oct 11 16:03:46 GMT 2004

Open relay? 

-----Original Message-----
From: Mark Squire [mailto:msquire at lagraphico.com]
Sent: Monday, October 11, 2004 10:10 AM
To: list at lists.dshield.org
Subject: [Dshield] SMTP problem

Hi All,
I was wondering if I could get some advice.  I believe I might be the
recipient of a DDOS against a spammer.  I know that doesn't make sense,
but let me see if I can clear it up a bit.  Yesterday I noticed that our
emails were a little slow in trickling in.  Thinking this was odd, I
opened up our SMTP server, and noticed that it had over 3000 emails
(pretty unusual for us).  I tailed /var/log/maillog (I have postfix),
and noticed a lot of these errors:

connect to mail2.saveinternet.net[]: Connection timed out

It didn't make any sense.  I never really got to the root cause I don't
think, but at one point I went under the assumption that we were somehow
being used to attack the above address.  The reason I came to that
conclusion is because I didn't see them try to connect to our domain at
all, but I saw a bunch of other addresses from all over the place
connecting to us, and then I saw a bunch of connections coming from us
to saveinternet.net.  So at that point I blocked all firewall access to
port 25.  Of course suddenly email stopped flowing in, but it also gave
the queues a chance to catch up.  After at least 30 minutes, all of the
legitimate email was delivered, and I opened things back up.  I read
also to set the qmgr value in master.cf to nqmgr.  I did that, and have
had some success.  The attack, if that is what it is, appears to still
be active.  Just a bit ago, I did a scan for all files containing
"saveinternet" in the "defer" directory, and quite a few results were
returned.  Here is a sample from one of the ones I opened:

<emailaddress at domain.com>:connect to
mail3.saveinternet.net[]: Connection timed out

I used "emailaddress at domain.com" above to sanitize the entry somewhat.
All of these had what looks like personal email addresses.  Let me say
also that I am fairly confident it isn't a configuration error because
we have kept the same configuration for the last 6 months without any
problems, unless there was something in the config that wasn't capable
of addressing a problem like this.  Any ideas?  Has anyone had this
problem?  Is there a postfix utility (other than qmail) that might be
useful in diagnosing the problem?

DShield and the Internet Storm Center are sponsored by the SANS Institute.
To learn more about current SANS training, see http://www.sans.org .

send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list