Hello managers,
yesterday I wrote about a flood of messages adderessed to nonexistent
user (this same) on our server, with empty reverse address and different
relay in every message. [This caused a problem on the server because these
transactions occupied almost all the connections limited in the sendmail
configuration file]. Besides, I was puzzled because these relays were all
over the world.
Thanks to
Fredrik Palm <frpa01_at_handelsbanken.se>,
Richard Westlake <r.westlake_at_mail.cryst.bbk.ac.uk>, and
Paolo Lucente <vertigo_at_newnet.dada.it>, who replied.
Fredrik and Richard helped to restore the picture entirely.
On their supposition, which seems to be persuasive, someone sent a
very large volume of SPAM with faked from/return address like the mail
originated on our system, with address list probably containing a lot
of addresses which were no longer valued. And what I was seeing was
the bounces from all these bad addresses.
Besides, Fredrik pointed out that empty FROM address (from=<>) is,
according to RFC821, the supported way to send error messages/bounces.
And he is right: it turns out that RFC821 says [how useful may be
reading rfcs IN TIME... :) ] that specifying a null reverse-path in the
MAIL command of a notification message is one way to prevent loops in
error reporting:
MAIL FROM:<>
[And I should thank Jonathan B. Postel, the author of RFC821, because
without this precaution, I only may imagine all the mess which would be
caused by such a misuse :) ]
My original posting and those by Richard and Fredrik are below my
signature.
Irene
P.S. In my original e-mail, under command "TO:", I meant command RCPT,
which implied "TO:".
*************************************************************************
* *
* Irene A. Shilikhina e-mail: irene_at_alpha.iae.nsk.su *
* System administrator, *
* Institute of Automation & Electrometry, *
* Siberian Branch of Russian Academy of Sciences, *
* Novosibirsk, Russia *
*
http://www.iae.nsk.su/~irene *
*************************************************************************
* *
* The road to hell is paved with good intentions. *
* *
*************************************************************************
On Mon, 17 Jul 2000, Irene A. Shilikhina wrote:
>
> Hello managers,
>
> this morning I found a huge number of entries in mail.log which have
> abnormal appearance: without any smtp command ("TO" can be expected),
> only delivery address - nonexistent user (explicitly falsified) on our
> server, and, what is worst, all of them have DIFFERENT RELAY ADDRESS -
> FROM ALL OVER THE WORLD, to the same recipient. Since the existent rules
> are not violated, there is no any "ruleset=check_mail". (Although I don't
> know why smtp does not complain about absence of any command, but this
> does not matter).
>
> Is there someone who has encountered the same, and what might your advice
> be ? We are running sendmail 8.9.3. on Tru64 4.0D.
>
> An extract from the mail.log:
>
> Jul 16 22:01:40 alpha sendmail[7373]: WAA07373:
> <iejrgbni_at_alpha.iae.nsk.su>... User unknown
> Jul 16 22:01:41 alpha sendmail[7373]: WAA07373: from=<>, size=7275,
> class=0, pri=0, nrcpts=0, proto=ESMTP,
> relay=faulkner.netnet.net [206.40.99.110]
>
> etc. etc. etc...
>
> Thanks,
> Irene
-------------------------------------->%-----------------------------------
From r.westlake_at_mail.cryst.bbk.ac.ukTue Jul 18 09:22:25 2000
Date: Mon, 17 Jul 2000 12:08:43 +0100
From: Richard Westlake <r.westlake_at_mail.cryst.bbk.ac.uk>
To: "Irene A. Shilikhina" <irene_at_alpha.iae.nsk.su>
Subject: Re: Another sort of smtp attack? (from all over the world)
Irene
Hi
We had a similar problem a year or two ago.
Don't know about the TO address but large numbers of connections from all
over the internet.
I would guess that someone has send a very large volume of SPAM (Not from
your system) with faked from/return address which make it look like the mail
originated on your system.
The address list they are using probably contains a lot of addresses, which
are no longer valued. They may also be trying to brute force the address
list for people like AOL by generating all possible Ids, need a lot of
network bandwidth but if you use open relays then someone else pays.
What you are seeing it the bounces from all these bad addresses.
When this happened to us it took over a day to clear and the load nearly
crashed our mail server. Hope it is not so bad for you.
If this is the case then you should start to get angry emails complaining
about the SPAM from people who don't or won't look at the full headers. :-(
Good luck and all the best
Richard Westlake
Crystallography Dept. , Birkbeck College, Malet Street, London WC1E 7HX
Tel: 020-7631-6859
----------------------------------------------------------------------
Truth endures but spelling changes -- Anon.
----------------------------------------------------------------------
------------------------------------>%--------------------------------
From frpa01_at_handelsbanken.seTue Jul 18 10:40:26 2000
Date: Mon, 17 Jul 2000 08:23:55 +0200
From: Fredrik Palm <frpa01_at_handelsbanken.se>
To: "Irene A. Shilikhina" <irene_at_alpha.iae.nsk.su>
Subject: Re: Another sort of smtp attack? (from all over the world)
Hi,
Well, I'm not sure about this but.... Empty from addresses (from=<>) is the,
according to RCF821, supported way to send error messages/bounces.
Could it be so that, for some reason, your users are sending emails to non-
existent addresses out there with their own from:addresses set wrong.
This would mean that the email goes out to where ever, an error message
is generated and sent back to an illegal address (at your site) resulting in
the syslog entry below ?
Just a thought,
\\Fredrik
----------------------------------------------------------
Fredrik Palm Email: frpa01_at_handelsbanken.se
Svenska Handelsbanken Phone: +46-8-7011789
CDCK-I Fax: +46-8-7011624
106 70 Stockholm
Sweden
Received on Tue Jul 18 2000 - 06:01:59 NZST