Re: Mail DoS from Bellsouth
From: crawdog (c.nishimura@verizon.net)Date: 08/21/02
- Next message: crawdog: "Re: iptables and one interface"
- Previous message: Ian Jones: "Re: Is DNS a problem??"
- In reply to: LR: "Mail DoS from Bellsouth"
- Next in thread: LR: "Re: Mail DoS from Bellsouth"
- Reply: LR: "Re: Mail DoS from Bellsouth"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: crawdog <c.nishimura@verizon.net> Date: Wed, 21 Aug 2002 04:40:51 GMT
LR wrote:
> I'm confused about the number of (SMTP-bound) packets originating from
> Bellsouth's network to my mail server. I had to block their IP range to
> prevent my server from being completely overloaded. Initially I would think
> this the work of a spammer, but there are 30+ bellsouth mail servers
> attempting connection to my box multiple times/second constantly for the
> last week. I can't fathom that bellsouth would be so incompetant as to let
> this happen, but I've gotten no response from abuse@ so I s'pose it's
> possible. A log sample is below...has anyone seen this before?
>
> Aug 20 07:04:02 server kernel: Packet log: input DENY eth0 PROTO=6
> 205.152.58.163:30669 xx.xx.xx.xx:25 L=44 S=0x00 I=14886 F=0x4000 T=238 SYN
> (#2)
> Aug 20 07:04:07 server kernel: Packet log: input DENY eth0 PROTO=6
> 205.152.58.48:55261 xx.xx.xx.xx:25 L=44 S=0x00 I=53501 F=0x4000 T=238 SYN
> (#2)
> Aug 20 07:04:08 server kernel: Packet log: input DENY eth0 PROTO=6
> 205.152.58.163:30669 xx.xx.xx.xx:25 L=44 S=0x00 I=14887 F=0x4000 T=238 SYN
> (#2)
> Aug 20 07:04:10 server kernel: Packet log: input DENY eth0 PROTO=6
> 205.152.58.52:62693 xx.xx.xx.xx:25 L=44 S=0x00 I=7213 F=0x4000 T=238 SYN
> (#2)
>
> TIA,
> LR
Let's see. As Tim mentioned TCP connections go by a 3,6,12,... second
time interval. The two connection attempts from 205.152.58.163 is 6
seconds apart. Additionally, the packet id # increments up by one
(14886, 14887). This is a very quiet tcp stack. This is likely to be a
TCP connection attempt from a very quiet client.
However, there are other smtp connection attempts. No real pattern
except the TTL (238) are all the same. Your e-mail hdr indicates
acedsl.com, which is on the US east coast(?). Bellsouth is on the other
side of N.A. so the TTL is likely legit (assuming a init TTL value of
about 255).
Someone mention Klez. This is possible. If so, this means that a bunch
of people on bellsouth are sending klez to a bunch of user on your
network; bellsouth user(s) has your folks in their address book. One
thing to check are the time stamps. Early morning e-mail from bellsouth
are unlikely unless the source is a nightowl.
Someone mentioned spam. Sort of smells like spam.
Hard to figure out without seeing more or your logs. However, I can
speculate. A while back, one Manfred Bartz (sp?) used to correct me when
ever I misread the logs. OT: WTF is Manfred doing? (Tim?, Luke?) What
happened to one Mr. Erskine, queen:-) of this ng?
Clyde
- Next message: crawdog: "Re: iptables and one interface"
- Previous message: Ian Jones: "Re: Is DNS a problem??"
- In reply to: LR: "Mail DoS from Bellsouth"
- Next in thread: LR: "Re: Mail DoS from Bellsouth"
- Reply: LR: "Re: Mail DoS from Bellsouth"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
