[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Getting Mail Bombed!

Subject: Re: [cobalt-users] Getting Mail Bombed!
From: Michael <mike@xxxxxxxxxx>
Date: Sun Jul 22 13:29:13 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

At 09:13 PM 7/22/2001 -0600, you wrote:
>On Sun, 22 Jul 2001, Carrie Bartkowiak wrote:
>
>} it doesn't receive mail? That way the messages would bounce - but
>} hell, you'd have to leave it off for 4 days before the mailing server
>} would give up attempting. Ne'er mind.
>
>Not true. If the site is being mail bombed setting sendmail to
>reject the messages with, as example, a "no such user" rule
>would result in each attempt to mail it generating an error
>message which would then be sent back to the originator of the
>attack. If you are getting hit hard this can quickly eat of great
>amounts of bandwidth, which you may very well have to pay for, so it
>might not be a good idea in your case but you could do this by
>adding an applicable rule to your server's sendmail access file"
>
>DomainName.ext  ERROR:"550 Mail Disabled For This Host"
>
>        About a year ago or so we had a similar problem originating
>from a huge consulting firm. Their "engineer's, of course, would not
>investigate as I was a nobody. Neither would their upstream.
>Desperate, I blocked them with a similar sendmail rule ("Take
>Your Spam and Shove It") then sat here and watched as error message
>after error message was sent their way. It took about 3 or 4 hours
>but eventually their engineers called us... It turned out that all
>the error messages not only choked their email server, but they
>caused some problems for their upstream too, who happened to be
>acting as a 'smart relay'. Worse yet, perhaps, I kept track of my
>time and billed them some $900.00 for "Attack Management". They
>didn't pay, of course, so I went to small claims court and won a
>judgement against them. They haven't paid that either but it looks
>good hanging on the wall...

Unfortunately disabling mail for that domain will cost me greatly.  We receive orders from it.  AND it is not totaly super-critical.  The virus is sending me about 300 messages a day now, which is not too bad 300 and HOUR would be far worse.

I just would like to stop it.  I groan when I see the volume of mail and all the virus inspired:

"I send you this file in order to have your advice"  God, I am growing to absolutely HATE that phrase!

I checked every computer involved in my business and nobody has the virus.  Also, it all seems to be sent by outlook express. The subject line is always different and it always has some attachment to it.


here is another snipe from the offending mail, this is more complete snipe than my first one:


Return-Path: <scarlett@xxxxxxxxxxxx>
Received: from 1starnet.com (bizmail-one.1starnet.com [207.243.104.31])
        by www.astrology-online.com (8.10.2/8.10.2) with ESMTP id f6N3rjk16081
        for <mike@xxxxxxxxxxxxxxxxxxxx>; Sun, 22 Jul 2001 22:53:45 -0500
Received: from sweep [207.243.104.28] by 1starnet.com
  (SMTPD32-6.06) id ACE138F011C; Sun, 22 Jul 2001 22:41:24 -0500
Received: (from scarlett [12.18.105.100])
 by sweep (NAVIEG 2.1 bld 73) with SMTP id M2001072222390415886
 for <mike@xxxxxxxxxxxxxxxxxxxx>; Sun, 22 Jul 2001 22:39:05 -0500
From: "Scarlett Owen"<scarlett@xxxxxxxxxxxx>
To: mike@xxxxxxxxxxxxxxxxxxxx
Subject: sunflower
date: Sat, 21 Jul 2001 22:42:53 -0500
MIME-Version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
Content-Type: multipart/mixed; boundary="----2B4E8DA7_Outlook_Express_message_boundary"
Content-Disposition: Multipart message
Message-Id: <M2001072222390415886@sweep>
X-UIDL: P"5!!&2o"!IcD!!n~c!!

Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: message text

Hi! How are you=3F
 
I send you this file in order to have your advice
 
See you later=2E Thanks
Content-Type: application/mixed; name=sunflower.zip.bat
Content-Transfer-Encoding: base64
Content-Disposition: attachment;  filename=sunflower.zip.bat

TVpQAAIAAAAEAA8A//8AALgAAAAAAAAAQAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAEAALoQAA4ftAnNIbgBTM0hkJBUaGlzIHByb2dyYW0gbXVzdCBiZSBydW4gdW5k
ZXIgV2luMzINCiQ3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


WARNING: The remainder of this message has not been transferred.
The estimated size of this message is 428865 bytes.
Click on the Retrieve From Server icon above and check mail again to get the whole thing. (If you're reading this in the preview pane, you'll need to open the message to see the icon.)  If the Retrieve From Server icon is not showing, then this message is no longer on the server.

Follow-Ups:
- Re: [cobalt-users] Getting Mail Bombed!
  - From: Diana Brake

References:
- Re: [cobalt-users] Getting Mail Bombed!
  - From: Carrie Bartkowiak
- Re: [cobalt-users] Getting Mail Bombed!
  - From: Elmer Fuddpucker

Prev by Date: Re: [cobalt-users] Getting Mail Bombed!
Next by Date: RE: [cobalt-users] changing the new virtual sites "index.html" file?
Previous by thread: Re: [cobalt-users] Getting Mail Bombed!
Next by thread: Re: [cobalt-users] Getting Mail Bombed!

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index