[Full-disclosure] joe job mitigation

From: "lsi" <stuart@xxxxxxxxxxxxxx>
Date: Tue, 29 Aug 2006 13:36:08 +0100

the surface: a POP3 "catch-all" mailbox

the problem: fallout from a (small) joe job attack - 6000 bounces in
the mail queue, mixed with normal mail, from all over the internet

aggrevating circumstances: a spam filter which takes 5-10 seconds to
process each bounce

potential consequences: day-long denial of email service on all mail
accounts due to POP3 client waiting on the spam filter on this one
mailbox

the solution:

1. in my spam filter, whitelisted postmaster@ and mailer-daemon@ -
this caused all the bounces to be processed immediately instead of
being checked for spam - the spam filter was catching some bounces
for me which was nice, but it was too slow. So I let them all
through.

2. ran my inbox cleaner, it's already programmed to delete bounces:

- mailx 0.07 Aug 29, 2006 00:25:26 [kill_bounces]: 5312 messages
killed (5994 messages total) [hitrate: 88.62196%]

3. (optional - I tried it, can be fun) go drink beer with mates.

notes:

- while Non-Delivery Receipts (NDRs) pose a threat, in terms of
denial of service after a joe job, their predictability makes them
easy to filter. This substantially reduces the potential for a joe
job to cause sustained damage.

- Challenge/Response systems are more problematic than NDRs. These
systems have no standard format and thus are more difficult to
filter. In particular, CR makers could mitigate the risk of their
systems being used as a weapon by utilising the standard "mailer-
daemon" string in their From: fields.

- most of the remaining 12% of mail seems to have vanished in the
nightly cleanup event, presumably due to matches with other rules.
Ah well. Will have to wait for the next one to collect some more NDR
strings.

- I wonder if I can analyse the bounces, extract IPs and map the
botnet? That might be fun too.

---
Stuart Udall
stuart at@xxxxxxxxxxxxxx net - http://www.cyberdelix.net/

---
* Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [ISR] - IBM eGatherer ActiveX Code Execution PoC
Next by Date: [Full-disclosure] [ GLSA 200608-27 ] Motor: Execution of arbitrary code
Previous by thread: [Full-disclosure] [ISR] - IBM eGatherer ActiveX Code Execution PoC
Next by thread: [Full-disclosure] [ GLSA 200608-27 ] Motor: Execution of arbitrary code
Index(es):
- Date
- Thread

Relevant Pages

Re: Can you turn off NDRs on IIS 5?
... Inbound email goes through a separate SMTP anti-virus gateway and then is ... > What is generating the NDRs? ... MS SMTP Server, by default, does not generate ... > perhaps it is your spam filter software that is generating the NDRs? ...
(microsoft.public.inetserver.iis.smtp_nntp)
Re: Exchange 2007 NDR Delivery
... adjusting our existing SPAM filter. ... I know the Brightmail product checks with AD to make ... and not normal messages that get delayed or having trouble delivering on ... then the only NDRs you should be generating are for mailboxes ...
(microsoft.public.exchange.admin)
Re: Exchange 2007 NDR Delivery
... adjusting our existing SPAM filter. ... I know the Brightmail product checks with AD to make ... and not normal messages that get delayed or having trouble delivering on ... then the only NDRs you should be generating are for mailboxes ...
(microsoft.public.exchange.admin)
Re: tons of NDR messages
... I presume these are NDRs to messages nobody in your organization sent, ... Sounds like your users are the victim of spoofing. ... legit - so there's no ... reason for your spam filter to catch them. ...
(microsoft.public.exchange.admin)
Re: tons of NDR messages
... which is trend micro is not filtering these email messages. ... I presume these are NDRs to messages nobody in your organization sent, ... reason for your spam filter to catch them. ...
(microsoft.public.exchange.admin)