[unisog] Super-hidden spamming exploits?

Russell Fulton r.fulton at auckland.ac.nz
Mon Oct 6 20:25:50 GMT 2003

On Tue, 2003-10-07 at 06:44, Thomas DuVally wrote:

> Exactly! Is this new or are the spammers just getting around to us? We
> first saw this early last week. If this is a new trend, how are other
> people handling this. We are implementing a few ideas, but we can't
> think of anything approaching a REAL solution, other than shutting off
> SMTP, which isn't really an option, is it?

rate limiting is one obvious approach for internal users (as opposed to
incoming external connections that many people already use to
defeat^H^H^H^H^Hslow down -- spammers). 

I am interested in exploring  what the down side might be.

As I see it it would work this way:
     1. you set some connection rate limit for internal users, this
        would typically be much higher that an external limit.
     2. you maintain a white list of know internal MTAs.
     3. When any host exceeds the limit you stop accepting mail from
        them and raise an alarm. (And perhaps trigger an nmap scan of
        the offending host ?)
     4. someone contacts the 'owner' of the system to find out what the
        problem is, or if there is a problem.

Given that spammers are interested in moving much more mail than any
individual user we should be able to come up with a threshold that will
not get triggered erroneously but will still protect the mail
infrastructure from overloading.

Such a system would also protect us from the likes of sobig-f.

If I get time I'll do some analysis of our mail logs and see what the
distributions of real connection rates are like.

Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.

More information about the unisog mailing list