[Dshield] SMTP problem

Mark Squire msquire at lagraphico.com
Mon Oct 11 17:39:52 GMT 2004

Hi Shawn,
Detailed answers to your questions are below:

> -----Original Message-----
> From: Shawn Cox [mailto:shawn.cox at pcca.com] 
> Sent: Monday, October 11, 2004 9:20 AM
> To: General DShield Discussion List; Mark Squire
> Subject: Re: [Dshield] SMTP problem
> Can you give more information on your setup?
> Are you a service provider of some kind?  Does your mail 
> server host other 
> domains than lagraphico.com?

Yes, there are a few other domains, but we aren't a service providor in
the sense that we are an ISP in the traditional sense.  More B2B with
child companies, but we do accept email for a couple of other domains.

> How could these have been accepted by your mail server if you 
> have relaying 
> turned off for domains other than lagraphico.com?

Well that's the thing.  I ran some tests for open relays on our system
just to be sure, and they all came back negative, so that couldn't be
the problem.  I even tried to relay through it manually, and was
blocked, so it can't be relaying.  I did this externally and internally,
which brings me to my next answer.

> Does your mail server sit outside your firewall, or is it 
> inside with a 
> conduit between a real world IP and an internal?
> What kind of firewall?

Choice B.  The firewall redirects incoming SMTP connections into it.

> Are you certain the connections/emails are not coming from a machine 
> internal to your network which may be zombified?

I thought of that as well, however, when I try to route mail through
that server from the internal network (this is just an SMTP/SPAM server)
it would not accept any relaying.  In fact, it wouldn't even accept it
for our main email server.  That server just sends email straight out to
the net.  I know that affects the auto-whitelisting on Spam systems, and
it isn't the best way to do it, and we will be changing that soon.

> What is the content of the messages?  This may give more 
> indication on the 
> attack.

This was all I was able to find anywhere:

<emailaddress at domain.com>:connect to
mail3.saveinternet.net[]: Connection timed out

Another gentleman was informing me off the list that this happens a lot
when spammers will use a bogus reply-to address and from addresses.  I
don't understand the process entirely, so I am a little fuzzy on this
part, but if I understand it correctly, the spammer will send out a
bunch of spam to various addresses.  In the From and Reply-to fields,
the spammer would add in bogus/innocent domains.  So suddenly our server
would receive a bunch of these.  What I don't understand is how that
would result in my machine connecting to mail3.saveinternet.net.  For
that to happen, the original recipient of the spam I guess had to be
saveinternet.net.  The reply-to must have been emailaddress at domain.com
(as shown above), and the from address had to be
somebody at lagraphico.com.  I think I got that correct.  Anyway, the
gentleman was saying the normally this isn't too big of a deal unless
the servers involved accept the connections, and basically tie up your
resources.  Not sure if I got that right, but I thought I would throw it
out there for others to comment on.


> --Shawn
> ----- Original Message ----- 
> From: "Mark Squire" <msquire at lagraphico.com>
> To: <list at lists.dshield.org>
> Sent: Monday, October 11, 2004 9:09 AM
> Subject: [Dshield] SMTP problem
> > Hi All,
> > I was wondering if I could get some advice.  I believe I 
> might be the 
> > recipient of a DDOS against a spammer.  I know that doesn't make 
> > sense, but let me see if I can clear it up a bit.  
> Yesterday I noticed 
> > that our emails were a little slow in trickling in.  
> Thinking this was 
> > odd, I opened up our SMTP server, and noticed that it had over 3000 
> > emails (pretty unusual for us).  I tailed /var/log/maillog (I have 
> > postfix), and noticed a lot of these errors:
> >
> > connect to mail2.saveinternet.net[]: Connection timed out
> >
> > It didn't make any sense.  I never really got to the root cause I 
> > don't think, but at one point I went under the assumption 
> that we were 
> > somehow being used to attack the above address.  The reason 
> I came to 
> > that conclusion is because I didn't see them try to connect to our 
> > domain at all, but I saw a bunch of other addresses from 
> all over the 
> > place connecting to us, and then I saw a bunch of 
> connections coming 
> > from us to saveinternet.net.  So at that point I blocked 
> all firewall 
> > access to port 25.  Of course suddenly email stopped 
> flowing in, but 
> > it also gave the queues a chance to catch up.  After at least 30 
> > minutes, all of the legitimate email was delivered, and I opened 
> > things back up.  I read also to set the qmgr value in master.cf to 
> > nqmgr.  I did that, and have had some success.  The attack, 
> if that is 
> > what it is, appears to still be active.  Just a bit ago, I 
> did a scan 
> > for all files containing "saveinternet" in the "defer" 
> directory, and 
> > quite a few results were returned.  Here is a sample from 
> one of the 
> > ones I opened:
> >
> > <emailaddress at domain.com>:connect to
> > mail3.saveinternet.net[]: Connection timed out
> >
> > I used "emailaddress at domain.com" above to sanitize the 
> entry somewhat. 
> > All of these had what looks like personal email addresses.  
> Let me say 
> > also that I am fairly confident it isn't a configuration 
> error because 
> > we have kept the same configuration for the last 6 months 
> without any 
> > problems, unless there was something in the config that 
> wasn't capable 
> > of addressing a problem like this.  Any ideas?  Has anyone had this 
> > problem?  Is there a postfix utility (other than qmail) 
> that might be 
> > useful in diagnosing the problem?
> >
> > Thanks,
> > Mark
> > _______________________________________________
> > DShield and the Internet Storm Center are sponsored by the SANS 
> > Institute. To learn more about current SANS training, see 
> > http://www.sans.org .
> >
> > _______________________________________________
> > send all posts to list at lists.dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> > 

More information about the list mailing list