Hello managers,
I was happy to receive the response from "Charles M. Richmond"
<cmr_at_koibito.iisc.com> who helped me to get rid of "maniac" (as for just
now at least!). He writes:
>Actually what has occurred is that you have received some spam email,
>that probably has a forged maniac.net return address. The lame delegations
>are occuring because one of your machines is trying to bounce the email
>back to its supposed source. (use the mailq cmd on your systems to find
>it).
>
>The reason that it is not getting either eaten or bounced is most likely
>that the primary NS has deleted the entry but the secondary still has it.
>
>The quick and dirty fix is to find the spooled email and delete it from
>the /usr/spool/mail directory. (ie rm ?f?some_unique_#*)
>
________________________________________________________________
| My comment: |
| Actually I had to do it with the /usr/spool/mqueue directory |
_______________________________________________________________|
>The long term fix is to get the either the Internic or "charm.net" to fix
>the problem. I found that pointing out that the faulty configuration when
>combined with the forged email spam was essentially a DOS attack and that
>I would report it as such to the FBI. (-: That did work (-: Of course
>appending the log results helped.
>
>Charles Richmond
Michel-Ange Camhi <camhi_at_ec-lille.fr> says:
>Upgrading to BIND 4.9.6 should terminate this. You're most likely the target
>of 'spoofers', where the attackers pass wrong information to the DNS to
>get an unsupplied reversal hostname.
>
>Michel-Ange Camhi
>IRC Opérateur sur irc.ec-lille.fr (EFNet)
>Elève-ingénieur 3ème année
>Ecole Centrale de Lille
Much thanks to both of you!!!
I have to confess : perhaps I occured to be too impatient at waiting for
reply from the administrator of CHARM.NET zone - I have received the mail
from Robert Aro <admin_at_charm.net> and sent him a piece of my daemon.log.
My origin message:
>Dear managers,
>
>it's already the third day as our name server is "attacked" by "Lame
>delegation to 'maniac.net' from [199.0.70.21]" (or .23) every ten minutes...
>(an expressive domain name, isn't it?).
>I know that such messages are possible sometimes as a result of an error
>in authority delegation in some master files (and I receive some from time
>to time), but such persistency - discourages me!
>
>I had a look at the servers authoritative for maniac.net domain (there are
>two - NS-PRIME.CHARM.NET and NS-BIS.CHARM.NET), and yesterday sent e-mail
>to the administrator whose address I see in their SOA RR... - to no avail!
>
>Of course, I could prohibit receiving everything from these addresses,
>nevertheless I consider this way not fully correct since it may be useful
>information - it's DNS anyhow...
>
>Thanks,
>Irene.
Best regards,
Irene
_______________________________________________________________________________
Irene A. Shilikhina (e-mail: irene_at_alpha.iae.nsk.su)
DU system manager,
Institute of Automation & Electrometry
Novosibirsk, Russia
_______________________________________________________________________________
Received on Wed Mar 18 1998 - 12:12:09 NZST