Re: [OT] HELP!!! mail attack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Rodolfo Alcazar Portillo wrote:

Hello. Since monday, our mailserver (FC5), behind a firewall, is
suffering a heavy DoS mail attack. We have a user account,
[email protected] and it is receiving millions of emails from
very different sites of the planet. Since now, my only action was
deleting the account from /etc/password, and the traffic permits
working. We suspect a virus attack...

What else can we do? We would appreciate any help with this issue. Here,
a 20 seconds log by 07:15 GMT-4 (too early, many pcs off).

I use postfix; I can do this:
[[email protected] sysconfig]# tail /etc/postfix/header_checks
/^Received.*UNITED.CO.UK/ REJECT No thanks
/^Received.*HAPPYGROUP.CO.UK/ REJECT No thanks
/^Received:.*ceres.concept.net.nz/ REJECT Bloody twits
/^Received:.*dizinc.com/ REJECT No thanks
/CentOS-announce Digest/ REJECT I don't want these
/yourshopineu/ REJECT Bloody spammer

Those are Perl regular expressions.

One can enable the checks thus:
header_checks = pcre:/etc/postfix/header_checks
body_checks = pcre:/etc/postfix/body_checks

Now, if you're not using postfix you may be able to do something similar....
That rejects the email about as fast as you can, you're rejecting it during the connexion. 
Those will be logged. I'd then develop a script to munge the messages to
extract the remote IP address and generate iptables rules to block
entire /24 network addresses containing the offenders.

I would drop, not reject the connexions.


You need also to work with your IAP who, presumably, has more bandwidth
than you, and can defend more clients from the remote attackers.

Probably you should also involve your relevant law enforcement agency.






# tethereal |grep RCPT

  0.030421 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
  0.084245 193.195.46.98 -> 192.168.1.15 SMTP Command: RCPT To:<[email protected]>
  0.813207 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
  1.196831 221.246.173.133 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
  1.214975 221.246.173.133 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
  1.330348 203.162.4.185 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
  1.633672 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
  1.999373 64.22.97.151 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
  2.674852 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
  2.783758 212.241.250.110 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
  3.420356 71.86.28.162 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
  3.785264 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
  4.742188 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
  5.525666 81.80.63.187 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
  5.617303 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
  5.854842 71.86.28.162 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
  5.863718 70.103.68.218 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davil[email protected]>
  5.868905 70.103.68.218 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
  6.096777 59.124.4.190 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
  6.436249 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
  6.466815 66.249.92.172 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
  7.262385 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
  7.397907 71.86.28.162 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 10.592647 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 10.594863 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 10.646376 81.72.107.178 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 11.262748 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 11.383742 203.162.4.185 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 11.538739 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 11.568291 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 11.988369 203.190.60.202 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 12.501307 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 12.528634 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 12.807326 220.152.32.164 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 13.115271 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 13.453285 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 13.474763 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 14.099809 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 14.393268 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 14.429214 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 15.034781 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 15.053775 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 15.337869 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 15.378731 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 15.868339 189.32.131.187 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 16.258275 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 16.312235 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 16.633300 210.162.25.47 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 17.149183  210.147.8.9 -> 192.168.1.15 SMTP Command: RCPT To:<[email protected]>
 17.225328 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 17.237639 189.32.131.187 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 17.272639 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 17.673762 84.12.48.115 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 17.698118 84.12.48.115 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 18.182747 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 18.206657 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 18.422710 141.156.107.252 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]xx>
 18.433819 141.156.107.252 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 18.588780 189.32.131.187 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 18.810259 210.162.25.47 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 19.128838 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>
 19.167259 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<[email protected]>

Here you can find a more detailed log:
http://www.padep.org.bo/log20080325/

Thanks, again...
----------------------------------------------
Rodolfo Alcazar - [email protected]
otbits.blogspot.com / counter.li.org: #367962
----------------------------------------------
"Träume nicht dein Leben, lebe deinen Traum."
- Unbekannter Autor




--

Cheers
John

-- spambait
[email protected]  [email protected]
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)






















[Index of Archives]
 
 
[Current Fedora Users]
 
 
[Fedora Desktop]
 
 
[Fedora SELinux]
 
 
[Yosemite News]
 
 
[Yosemite Photos]
 
 
[KDE Users]
 
 
[Fedora Tools]
 
 
[Fedora Docs]


















 
Powered by Linux