[Dshield] SMTP problem
msquire at lagraphico.com
Mon Oct 11 17:39:52 GMT 2004
Detailed answers to your questions are below:
> -----Original Message-----
> From: Shawn Cox [mailto:shawn.cox at pcca.com]
> Sent: Monday, October 11, 2004 9:20 AM
> To: General DShield Discussion List; Mark Squire
> Subject: Re: [Dshield] SMTP problem
> Can you give more information on your setup?
> Are you a service provider of some kind? Does your mail
> server host other
> domains than lagraphico.com?
Yes, there are a few other domains, but we aren't a service providor in
the sense that we are an ISP in the traditional sense. More B2B with
child companies, but we do accept email for a couple of other domains.
> How could these have been accepted by your mail server if you
> have relaying
> turned off for domains other than lagraphico.com?
Well that's the thing. I ran some tests for open relays on our system
just to be sure, and they all came back negative, so that couldn't be
the problem. I even tried to relay through it manually, and was
blocked, so it can't be relaying. I did this externally and internally,
which brings me to my next answer.
> Does your mail server sit outside your firewall, or is it
> inside with a
> conduit between a real world IP and an internal?
> What kind of firewall?
Choice B. The firewall redirects incoming SMTP connections into it.
> Are you certain the connections/emails are not coming from a machine
> internal to your network which may be zombified?
I thought of that as well, however, when I try to route mail through
that server from the internal network (this is just an SMTP/SPAM server)
it would not accept any relaying. In fact, it wouldn't even accept it
for our main email server. That server just sends email straight out to
the net. I know that affects the auto-whitelisting on Spam systems, and
it isn't the best way to do it, and we will be changing that soon.
> What is the content of the messages? This may give more
> indication on the
This was all I was able to find anywhere:
<emailaddress at domain.com>:connect to
mail3.saveinternet.net[18.104.22.168]: Connection timed out
Another gentleman was informing me off the list that this happens a lot
when spammers will use a bogus reply-to address and from addresses. I
don't understand the process entirely, so I am a little fuzzy on this
part, but if I understand it correctly, the spammer will send out a
bunch of spam to various addresses. In the From and Reply-to fields,
the spammer would add in bogus/innocent domains. So suddenly our server
would receive a bunch of these. What I don't understand is how that
would result in my machine connecting to mail3.saveinternet.net. For
that to happen, the original recipient of the spam I guess had to be
saveinternet.net. The reply-to must have been emailaddress at domain.com
(as shown above), and the from address had to be
somebody at lagraphico.com. I think I got that correct. Anyway, the
gentleman was saying the normally this isn't too big of a deal unless
the servers involved accept the connections, and basically tie up your
resources. Not sure if I got that right, but I thought I would throw it
out there for others to comment on.
> ----- Original Message -----
> From: "Mark Squire" <msquire at lagraphico.com>
> To: <list at lists.dshield.org>
> Sent: Monday, October 11, 2004 9:09 AM
> Subject: [Dshield] SMTP problem
> > Hi All,
> > I was wondering if I could get some advice. I believe I
> might be the
> > recipient of a DDOS against a spammer. I know that doesn't make
> > sense, but let me see if I can clear it up a bit.
> Yesterday I noticed
> > that our emails were a little slow in trickling in.
> Thinking this was
> > odd, I opened up our SMTP server, and noticed that it had over 3000
> > emails (pretty unusual for us). I tailed /var/log/maillog (I have
> > postfix), and noticed a lot of these errors:
> > connect to mail2.saveinternet.net[22.214.171.124]: Connection timed out
> > It didn't make any sense. I never really got to the root cause I
> > don't think, but at one point I went under the assumption
> that we were
> > somehow being used to attack the above address. The reason
> I came to
> > that conclusion is because I didn't see them try to connect to our
> > domain at all, but I saw a bunch of other addresses from
> all over the
> > place connecting to us, and then I saw a bunch of
> connections coming
> > from us to saveinternet.net. So at that point I blocked
> all firewall
> > access to port 25. Of course suddenly email stopped
> flowing in, but
> > it also gave the queues a chance to catch up. After at least 30
> > minutes, all of the legitimate email was delivered, and I opened
> > things back up. I read also to set the qmgr value in master.cf to
> > nqmgr. I did that, and have had some success. The attack,
> if that is
> > what it is, appears to still be active. Just a bit ago, I
> did a scan
> > for all files containing "saveinternet" in the "defer"
> directory, and
> > quite a few results were returned. Here is a sample from
> one of the
> > ones I opened:
> > <emailaddress at domain.com>:connect to
> > mail3.saveinternet.net[126.96.36.199]: Connection timed out
> > I used "emailaddress at domain.com" above to sanitize the
> entry somewhat.
> > All of these had what looks like personal email addresses.
> Let me say
> > also that I am fairly confident it isn't a configuration
> error because
> > we have kept the same configuration for the last 6 months
> without any
> > problems, unless there was something in the config that
> wasn't capable
> > of addressing a problem like this. Any ideas? Has anyone had this
> > problem? Is there a postfix utility (other than qmail)
> that might be
> > useful in diagnosing the problem?
> > Thanks,
> > Mark
> > _______________________________________________
> > DShield and the Internet Storm Center are sponsored by the SANS
> > Institute. To learn more about current SANS training, see
> > http://www.sans.org .
> > _______________________________________________
> > send all posts to list at lists.dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
More information about the list