Some advice regarding a mail attack

[Mark Brennand <ma...@ten62.com>]

Not so much a question about JAMES but a question for the community
regarding an increased server load due to what I believe is some malicious
activity. For the past 4 days my JAMES server has been coping with
~25,000-30,000 connections and spooling 15,000-20,000 emails.

Here is what I think is happening:
1. Malicious party is sending bulk email to recipients around the globe,
pretending to be sending from one of my domains
2. The recipients MTAs are bouncing these unwanted, undeliverable mails back
to my server

When these mails arrive at JAMES a small percentage are marked as SPAM but
the majority are 'Local Address Error' as the 'original' sender does not
exist.

Sample in the servers log (________________ == my domain, removed from this
email:
-----8<------
22/12/06 12:47:39 INFO  smtpserver: Connection from
81-208-57-142.ip.fastwebnet.it (81.208.57.142)
22/12/06 12:47:40 INFO  smtpserver: Connection from dslstatic14.ctcinet.com
(72.20.66.79)
22/12/06 12:47:41 INFO  smtpserver: Connection from mail.gartner.tv
(64.60.40.66)
22/12/06 12:47:41 INFO  smtpserver: executing message handlers
22/12/06 12:47:41 INFO  smtpserver: sending mail
22/12/06 12:47:41 INFO  smtpserver: Successfully spooled mail
Mail1166755661386-20 from null on 72.20.66.79 for
[DorotheaStanley@________________]
22/12/06 12:47:41 INFO  smtpserver: executing message handlers
22/12/06 12:47:41 INFO  smtpserver: sending mail
22/12/06 12:47:41 INFO  smtpserver: Successfully spooled mail
Mail1166755661258-19 from null on 81.208.57.142 for
[GroverDukes@________________]
22/12/06 12:47:41 INFO  smtpserver: executing message handlers
22/12/06 12:47:41 INFO  smtpserver: sending mail
22/12/06 12:47:41 INFO  smtpserver: Successfully spooled mail
Mail1166755661717-21 from null on 64.60.40.66 for
[AronClinemc@________________]
22/12/06 12:47:43 INFO  smtpserver: Connection from mail.acmcentral.com
(63.230.36.2)
22/12/06 12:47:44 INFO  smtpserver: executing message handlers
22/12/06 12:47:44 INFO  smtpserver: sending mail
22/12/06 12:47:44 INFO  smtpserver: Successfully spooled mail
Mail1166755664143-22 from null on 63.230.36.2 for
[DianeTripp@________________]
22/12/06 12:47:46 INFO  smtpserver: Connection from 81.80.97.20
(81.80.97.20)
22/12/06 12:47:47 INFO  smtpserver: Connection from
securechat.inventsales.com (142.176.67.180)
22/12/06 12:47:47 INFO  smtpserver: Connection from mail02.tveyes.com
(160.79.251.45)
22/12/06 12:47:47 INFO  smtpserver: executing message handlers
22/12/06 12:47:47 INFO  smtpserver: sending mail
22/12/06 12:47:47 INFO  smtpserver: Successfully spooled mail
Mail1166755667775-24 from null on 142.176.67.180 for
[AvisLongoria@________________]
-----8<------

- 'Original' sender always takes the same form
FirstnameLastname@________________.
- always coming back as null which is correct bounce reply format??
- each message contains 'Undeliverable' message

What I have in place already:
- Correct SPF record for this and all my mail-sending domains
- Checked to see if JAMES or sendmail (I route sendmail into JAMES for
system messages etc) are sending this mail out, which they are not as far as
I can see by logs and reports
- Switch local address error processor to Null these emails to stop the disk
space consumption
- Connections are left as default (consequently lots of max connections
messages showing up in logs, but the lesser of two evils as far as I am
concerned)

On a positive note:
- JAMES is quite happily trotting along, handling it all with grace.

So I am putting this out there to the community now to see where I should go
from here. Any and all responses are welcome.

Regards MB


 



---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org