Re: SMTP DDoS

From: stephane nasdrovisky (stephane.nasdrovisky_at_uniway.be)
Date: 08/13/03

Next message: Cesar Osorio: "Re: Increase in UDP Port Scans"

Previous message: dave kleiman: "RE: Using non-printable characters in passwords"
In reply to: Kip Sr.: "SMTP DDoS"
Next in thread: chort: "Re: SMTP DDoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 13 Aug 2003 10:05:01 +0200
To: "Kip Sr." <kipsr1@yahoo.com>

A customer suffered from this kind of ndr flooding 2 years ago. All its
valid email addresses where looking like "x.y@x.com". Rejecting any mail
sent to "x@x.com" but "info@x.com" and "sales@x.com" at the firewall
level saved their bandwidth and administration overhead. I guess that's
the kind of filter you already have implemented ? If the forged from
address is one of your valid email addresses, chances are you'll have to
call the police department.
Anti-spam email client (netscape 7.1/mozilla 1.4) or anti-spam server
based on bayasian filtering could filter out most of these ndr flood.
Unfortunatly, it would not save your bandwidth.

Our customer faced this issue a few time after buying a foreign company
and the flood was about 100 mails per second. It lasted about 6 months.

Kip Sr. wrote:

>For the past 10 days, our mail exchange server has
>been getting flooded with emails. It appears that an
>attacker is sending out tons of spam through various
>open relays and using our address
>(sales@mycompany.com) in the return path. so
>essentially, all bounced emails are coming back to our
>mail server - we're seeing about 30,000 NDRs per day.
>I am using filters to delete the incoming email, but
>does anyone else have any other ideas on how to get
>this stopped? Since the NDRs are coming from
>legitimate sources, checking for open relays wont do
>me any good.
>
>
>

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Cesar Osorio: "Re: Increase in UDP Port Scans"

Previous message: dave kleiman: "RE: Using non-printable characters in passwords"
In reply to: Kip Sr.: "SMTP DDoS"
Next in thread: chort: "Re: SMTP DDoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Sendmail
... If so then you need to check your config file. ... My work's MTA's filter would not accept my email because the return ... address was not a valid record in an MX lookup. ... I did modify /generics/ to create/munge a valid email address and my mail ...
(alt.linux)
Re: Spam filter
... that they hit a valid email. ... SpamPal is a "free" filter. ... accuracy of the number of true spam emails. ... DO NOT bounce messages. ...
(microsoft.public.windowsxp.general)
Re: NDRs sent by postmaster@xxxxxxx
... It is a shame that there is not a way to allow NDR just once or twice to the ... you still need to enable the filter. ... > Server, Protocols, SMTP, Default SMTP Virtual Server properties). ...
(microsoft.public.exchange.admin)
Re: Valid adddresses only
... server is doing what it's supposed to, which is sending an NDR. ... John Smith wrote: ... > The e-mail account does not exist at the organization this message ... > carrying a valid email address? ...
(microsoft.public.exchange2000.general)
Re: Second domain.. or is it? (Hmmmm)
... I've added othercompany.net to a new recipient policy with ... nothing in the filter because I don't want that domain applied to any ... Exchange Organization is responsible for all mail delivery to this ... NDR about a forward loop: ...
(microsoft.public.exchange.admin)