[Dshield] SMTP problem

Shawn Cox shawn.cox at pcca.com
Mon Oct 11 16:20:02 GMT 2004


Can you give more information on your setup?

Are you a service provider of some kind?  Does your mail server host other 
domains than lagraphico.com?
How could these have been accepted by your mail server if you have relaying 
turned off for domains other than lagraphico.com?
Does your mail server sit outside your firewall, or is it inside with a 
conduit between a real world IP and an internal?
What kind of firewall?
Are you certain the connections/emails are not coming from a machine 
internal to your network which may be zombified?
What is the content of the messages?  This may give more indication on the 
attack.

--Shawn


----- Original Message ----- 
From: "Mark Squire" <msquire at lagraphico.com>
To: <list at lists.dshield.org>
Sent: Monday, October 11, 2004 9:09 AM
Subject: [Dshield] SMTP problem


> Hi All,
> I was wondering if I could get some advice.  I believe I might be the
> recipient of a DDOS against a spammer.  I know that doesn't make sense,
> but let me see if I can clear it up a bit.  Yesterday I noticed that our
> emails were a little slow in trickling in.  Thinking this was odd, I
> opened up our SMTP server, and noticed that it had over 3000 emails
> (pretty unusual for us).  I tailed /var/log/maillog (I have postfix),
> and noticed a lot of these errors:
>
> connect to mail2.saveinternet.net[69.42.112.4]: Connection timed out
>
> It didn't make any sense.  I never really got to the root cause I don't
> think, but at one point I went under the assumption that we were somehow
> being used to attack the above address.  The reason I came to that
> conclusion is because I didn't see them try to connect to our domain at
> all, but I saw a bunch of other addresses from all over the place
> connecting to us, and then I saw a bunch of connections coming from us
> to saveinternet.net.  So at that point I blocked all firewall access to
> port 25.  Of course suddenly email stopped flowing in, but it also gave
> the queues a chance to catch up.  After at least 30 minutes, all of the
> legitimate email was delivered, and I opened things back up.  I read
> also to set the qmgr value in master.cf to nqmgr.  I did that, and have
> had some success.  The attack, if that is what it is, appears to still
> be active.  Just a bit ago, I did a scan for all files containing
> "saveinternet" in the "defer" directory, and quite a few results were
> returned.  Here is a sample from one of the ones I opened:
>
> <emailaddress at domain.com>:connect to
> mail3.saveinternet.net[69.42.120.8]: Connection timed out
>
> I used "emailaddress at domain.com" above to sanitize the entry somewhat.
> All of these had what looks like personal email addresses.  Let me say
> also that I am fairly confident it isn't a configuration error because
> we have kept the same configuration for the last 6 months without any
> problems, unless there was something in the config that wasn't capable
> of addressing a problem like this.  Any ideas?  Has anyone had this
> problem?  Is there a postfix utility (other than qmail) that might be
> useful in diagnosing the problem?
>
> Thanks,
> Mark
> _______________________________________________
> DShield and the Internet Storm Center are sponsored by the SANS Institute.
> To learn more about current SANS training, see http://www.sans.org .
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 




More information about the list mailing list