[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] RaQXTR - Help! Being spammed into next week

Subject: RE: [cobalt-users] RaQXTR - Help! Being spammed into next week
From: "* KAPIL *" <kapil@xxxxxxxxxxxxxx>
Date: Sun Dec 8 14:43:00 2002
Organization: kapilville, LLC
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

I'd do a whois on a few of the IP addresses the mail is originating
from. If they appear to be a part of Juno's netblock, I'd block all
traffic from Juno temporarily...this way you server won't go down. I'd
contact Juno and figure something out as a long term solution.

If the whois search says that the IP addresses do not belong to Juno but
do belong to ONE entity...I'd, once again, block all traffic from the
offending network.

The worst scenario would be if the offending senders are not from one
network or don't belong to one entity...and it's some sort of
distributed DoS attack. Unless you or one of your users have ticked
someone off to invite suck an attack, I think this scenario is unlikely
because I would think that a hacker's efforts would be better spent
DDoS'ing a bigger target like microsoft.com or something.

-------------------------
Stand Up For Free Speech
http://www.eff.org

-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx] On Behalf Of Tim Skipper
Sent: Sunday, December 08, 2002 4:08 PM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-users] RaQXTR - Help! Being spammed into next week

>>>From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx] On Behalf Of Steve Werby
Sent: 08 December 2002 17:21
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-users] RaQXTR - Help! Being spammed into next week

"Tim Skipper" <mailinglists@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> One of the domains on my XTR is being spammed into oblivion - it
> brought the whole server down about 2am this morning.  I've now 
> removed the catchall address for the domain in question so none of the

> mail is being stored now, but obviously it's still hammering the CPU
> and my bandwidth.

Tim, in that case the email isn't being received by your mail server so
bandwidth used as a result is minimal (the emails don't get sent to your
server in this scenaro before being rejected) and the effect on the CPU
should be minimal too.  If that's not the case please provide some
details about memory usage and running processes. <<<

Steve, and others that replied....

Well my server was brought down again and the RAID is busy rebuling
itself currently, and my maillog is upto 19mb already (from this
morning).  Here's a sample of the headers from two mails that got
through (to valid accounts on the uk-email.com domain):

Return-Path: <amandawl747@xxxxxxxx>
Received: from juno.net ([202.164.175.234])
	by ns.intonet-technology.com (8.10.2/8.10.2) with SMTP id
gB8IGYS17766
	for <accounts@xxxxxxxxxxxx>; Sun, 8 Dec 2002 18:16:35 GMT
Received: from unknown (124.37.110.148)
	by rly-xr01.nihuyatut.net with asmtp; 08 Dec 2002 04:19:32 +0100
Received: from unknown (124.33.44.67)
	by anther.webhostingtotalk.com with SMTP; 08 Dec 2002 05:18:38
+0100
Received: from da001d2020.loxi.pianstvu.net ([163.62.164.71])
	by rly-xw01.otpalo.com with SMTP; Sun, 08 Dec 2002 06:17:44
+1200
Reply-To: <amandawl747@xxxxxxxx>
Message-ID: <022b75e45c0b$2548a5d3$1ed76bb8@kkvyla>
From: <amandawl747@xxxxxxxx>
To: <accounts@xxxxxxxxxxxx>, <accreditations@xxxxxxxxxxxx>,
   <accredited@xxxxxxxxxxxx>, <accretion@xxxxxxxxxxxx>,
   <accretions@xxxxxxxxxxxx>
Subject: 5875_CUM_INSIDE_MY_PUSSY_ Gcux
Date: Mon, 09 Dec 2002 04:07:08 -1000
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_00C0_62B03B6D.B0861A23"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2462.0000
Importance: Normal

---------

Return-Path: <amandakf273@xxxxxxxx>
Received: from juno.net
(dC854579C.dslam-06-22-4-03-01-02.sal.dsl.cantv.net [200.84.87.156])
	by ns.intonet-technology.com (8.10.2/8.10.2) with SMTP id
gB8JoXS02415
	for <tim@xxxxxxxxxxxx>; Sun, 8 Dec 2002 19:50:35 GMT
Received: from [47.187.22.174] by hd.ressort.net with QMQP; 25 Aug 2002
01:53:11 +0100
Received: from unknown (HELO pet.vosni.net) (206.62.100.71)
	by smtp4.cyberecschange.com with esmtp; 25 Aug 2002 02:48:53
+0700
Received: from rly-xw01.otpalo.com ([58.44.238.23])
	by sydint1.microthink.com.au with QMQP; Sun, 25 Aug 2002
09:44:35 +0700
Received: from 163.147.164.234 ([163.147.164.234]) by
web.mail.halfeye.com with SMTP; Sun, 25 Aug 2002 16:40:17 -0200
Received: from unknown (HELO mta85.snfc21.pibi.net) (113.112.190.227)
	by smtp4.cyberecschange.com with SMTP; Sun, 25 Aug 2002 14:35:59
+0400
Reply-To: <amandakf273@xxxxxxxx>
Message-ID: <012b18a85e7d$7534c2a4$2ba85eb8@tbluby>
From: <amandakf273@xxxxxxxx>
To: <tilting@xxxxxxxxxxxx>, <tim@xxxxxxxxxxxx>, <timber@xxxxxxxxxxxx>,
   <timbered@xxxxxxxxxxxx>, <timbering@xxxxxxxxxxxx>
Subject: 6616_CUM_VIRGINS_LIVE_ Fxjv
Date: Sun, 25 Aug 2002 16:48:39 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_00E4_45A37C5E.C7431C30"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2462.0000
Importance: Normal

---------

As you can see they're not coming from a consistant IP address. The only
thing that is relatively common is the from line, which is always
amandaXXXX@xxxxxxxx, where XXXX is a random sequence.

I've got top running, and at any one time there's from 6 to 20 instances
of sendmail running.

Here's the output from tail maillog as of now:

Dec  8 22:00:13 ns sendmail[8115]: gB8LxZ808115:
<knighthood@xxxxxxxxxxxx>... No such user here Dec  8 22:00:15 ns
sendmail[8120]: gB8Lxb808120: <kittykat@xxxxxxxxxxxx>... No such user
here Dec  8 22:00:15 ns sendmail[8156]: gB8Lxt808156:
from=<amandanh638@xxxxxxxx>, size=0, class=0, nrcpts=0, proto=SMTP,
daemon=MTA, relay=200-153-251-243.dsl.telesp.net.br [200.153.251.243]
Dec  8 22:00:16 ns sendmail[8150]: NOQUEUE:
200-153-251-243.dsl.telesp.net.br [200.153.251.243] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA Dec  8 22:00:16 ns
sendmail[8117]: gB8Lxa808117: from=<amandaqa030@xxxxxxxx>, size=0,
class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=[218.76.241.33] Dec  8
22:00:17 ns sendmail[8121]: gB8Lxb808121: from=<amandaif127@xxxxxxxx>,
size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=[218.76.241.33]
Dec  8 22:00:17 ns sendmail[8125]: gB8Lxe808125:
from=<amandarx153@xxxxxxxx>, size=0, class=0, nrcpts=0, proto=SMTP,
daemon=MTA, relay=[218.76.241.33] Dec  8 22:00:21 ns sendmail[8093]:
gB8LxW808093: from=<amandalc834@xxxxxxxx>, size=0, class=0, nrcpts=0,
proto=SMTP, daemon=MTA, relay=[218.76.241.33] Dec  8 22:00:24 ns
sendmail[8115]: gB8LxZ808115: from=<amandanl107@xxxxxxxx>, size=0,
class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=[218.76.241.33] Dec  8
22:00:26 ns sendmail[8120]: gB8Lxb808120: from=<amandady052@xxxxxxxx>,
size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=[218.76.241.33]

Any help would be much appreciated, I can't afford for my server to keep
going down.

Regards,
Tim Skipper

_____________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users

References:
- RE: [cobalt-users] RaQXTR - Help! Being spammed into next week
  - From: Tim Skipper

Prev by Date: RE: [cobalt-users] RaQXTR - Help! Being spammed into next week
Next by Date: Re: [cobalt-users] severe raq4 problem - unknown HD space ??
Previous by thread: RE: [cobalt-users] RaQXTR - Help! Being spammed into next week
Next by thread: RE: [cobalt-users] RaQXTR - Help! Being spammed into next week

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index