[Dshield] SMTP problem

Kenzo kenzo_chin at hotmail.com
Mon Oct 11 20:23:34 GMT 2004


do man anvil.
It gives you the option to limit the number of  connections comming from an
IP address in a certain amount of time.
so you could set it to only allow 10 connections from anyone within 1 min.
Any new connection attempt after that will be blocked.
that's not the permanent solution, but it can help for now until you come up
with a final solution.
You should also test your server to make sure that relay is not allowed.
Here is a site that will allow you to do that.
http://members.iinet.net.au/~remmie/relay/


----- Original Message ----- 
From: "Mark Squire" <msquire at lagraphico.com>
To: <list at lists.dshield.org>
Sent: Monday, October 11, 2004 9:09 AM
Subject: [Dshield] SMTP problem


> Hi All,
> I was wondering if I could get some advice.  I believe I might be the
> recipient of a DDOS against a spammer.  I know that doesn't make sense,
> but let me see if I can clear it up a bit.  Yesterday I noticed that our
> emails were a little slow in trickling in.  Thinking this was odd, I
> opened up our SMTP server, and noticed that it had over 3000 emails
> (pretty unusual for us).  I tailed /var/log/maillog (I have postfix),
> and noticed a lot of these errors:
>
> connect to mail2.saveinternet.net[69.42.112.4]: Connection timed out
>
> It didn't make any sense.  I never really got to the root cause I don't
> think, but at one point I went under the assumption that we were somehow
> being used to attack the above address.  The reason I came to that
> conclusion is because I didn't see them try to connect to our domain at
> all, but I saw a bunch of other addresses from all over the place
> connecting to us, and then I saw a bunch of connections coming from us
> to saveinternet.net.  So at that point I blocked all firewall access to
> port 25.  Of course suddenly email stopped flowing in, but it also gave
> the queues a chance to catch up.  After at least 30 minutes, all of the
> legitimate email was delivered, and I opened things back up.  I read
> also to set the qmgr value in master.cf to nqmgr.  I did that, and have
> had some success.  The attack, if that is what it is, appears to still
> be active.  Just a bit ago, I did a scan for all files containing
> "saveinternet" in the "defer" directory, and quite a few results were
> returned.  Here is a sample from one of the ones I opened:
>
> <emailaddress at domain.com>:connect to
> mail3.saveinternet.net[69.42.120.8]: Connection timed out
>
> I used "emailaddress at domain.com" above to sanitize the entry somewhat.
> All of these had what looks like personal email addresses.  Let me say
> also that I am fairly confident it isn't a configuration error because
> we have kept the same configuration for the last 6 months without any
> problems, unless there was something in the config that wasn't capable
> of addressing a problem like this.  Any ideas?  Has anyone had this
> problem?  Is there a postfix utility (other than qmail) that might be
> useful in diagnosing the problem?
>
> Thanks,
> Mark
> _______________________________________________
> DShield and the Internet Storm Center are sponsored by the SANS Institute.
> To learn more about current SANS training, see http://www.sans.org .
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>



More information about the list mailing list