Re: [OT] HELP!!! mail attack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Rodolfo Alcazar Portillo wrote:

Hello. Since monday, our mailserver (FC5), behind a firewall, is
suffering a heavy DoS mail attack. We have a user account,
amanda.davila@xxxxxxxxxxxx and it is receiving millions of emails from
very different sites of the planet. Since now, my only action was
deleting the account from /etc/password, and the traffic permits
working. We suspect a virus attack...

What else can we do? We would appreciate any help with this issue. Here,
a 20 seconds log by 07:15 GMT-4 (too early, many pcs off).


I use postfix; I can do this:
[root@xxxxxxxxxxxxx sysconfig]# tail /etc/postfix/header_checks
/^Received.*UNITED.CO.UK/ REJECT No thanks
/^Received.*HAPPYGROUP.CO.UK/ REJECT No thanks
/^Received:.*ceres.concept.net.nz/ REJECT Bloody twits
/^Received:.*dizinc.com/ REJECT No thanks
/CentOS-announce Digest/ REJECT I don't want these
/yourshopineu/ REJECT Bloody spammer

Those are Perl regular expressions.

One can enable the checks thus:
header_checks = pcre:/etc/postfix/header_checks
body_checks = pcre:/etc/postfix/body_checks

Now, if you're not using postfix you may be able to do something similar....
That rejects the email about as fast as you can, you're rejecting it during the connexion.
Those will be logged. I'd then develop a script to munge the messages to extract the remote IP address and generate iptables rules to block entire /24 network addresses containing the offenders. 

I would drop, not reject the connexions.
You need also to work with your IAP who, presumably, has more bandwidth than you, and can defend more clients from the remote attackers. 

Probably you should also involve your relevant law enforcement agency.







# tethereal |grep RCPT

  0.030421 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
  0.084245 193.195.46.98 -> 192.168.1.15 SMTP Command: RCPT To:<amanda.davila@xxxxxxxxxxxx>
  0.813207 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
  1.196831 221.246.173.133 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
  1.214975 221.246.173.133 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
  1.330348 203.162.4.185 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
  1.633672 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
  1.999373 64.22.97.151 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
  2.674852 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
  2.783758 212.241.250.110 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
  3.420356 71.86.28.162 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
  3.785264 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
  4.742188 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
  5.525666 81.80.63.187 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
  5.617303 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
  5.854842 71.86.28.162 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
  5.863718 70.103.68.218 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
  5.868905 70.103.68.218 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
  6.096777 59.124.4.190 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
  6.436249 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
  6.466815 66.249.92.172 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
  7.262385 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
  7.397907 71.86.28.162 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 10.592647 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 10.594863 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 10.646376 81.72.107.178 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 11.262748 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 11.383742 203.162.4.185 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 11.538739 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 11.568291 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 11.988369 203.190.60.202 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 12.501307 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 12.528634 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 12.807326 220.152.32.164 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 13.115271 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 13.453285 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 13.474763 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 14.099809 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 14.393268 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 14.429214 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 15.034781 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 15.053775 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 15.337869 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 15.378731 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 15.868339 189.32.131.187 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 16.258275 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 16.312235 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 16.633300 210.162.25.47 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 17.149183  210.147.8.9 -> 192.168.1.15 SMTP Command: RCPT To:<amanda.davila@xxxxxxxxxxxx>
 17.225328 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 17.237639 189.32.131.187 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 17.272639 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 17.673762 84.12.48.115 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 17.698118 84.12.48.115 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 18.182747 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 18.206657 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 18.422710 141.156.107.252 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 18.433819 141.156.107.252 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 18.588780 189.32.131.187 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 18.810259 210.162.25.47 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 19.128838 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>
 19.167259 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:<amanda.davila@xxxxxxxxxxxx>

Here you can find a more detailed log:
http://www.padep.org.bo/log20080325/

Thanks, again...
----------------------------------------------
Rodolfo Alcazar - rodolfo.alcazar@xxxxxxxxxxxx
otbits.blogspot.com / counter.li.org: #367962
----------------------------------------------
"Träume nicht dein Leben, lebe deinen Traum."
- Unbekannter Autor





--

Cheers
John

-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx  Z1aaaaaaa@xxxxxxxxxxxxxxxx
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux