You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Mike Cisar <ml...@starmania.net> on 2007/12/31 19:07:03 UTC
DDOS, Dictionary Attack... not sure what it is...
Hi All,
A bit off topic since the users are all unknown so the traffic never makes
it to my spamassassin. But I am hoping that someone here may have seen the
same thing and have a solution for making the problem "go-away" :-)
I'm not sure whether it's supposed to be a DDOS attack, a dictionary attack,
bunch-o-bots or what. Since about the 26th of Dec I've had one particular
mailserver that has been dealing with a constant stream of crap... all
emails to unknown users, all of the email addresses seem consistent (either
3 'syllables'... an uppercased 'syllable', a lowercased 'syllable' and
another uppercased 'syllable'... or 2 uppercased 'syllables'). They don't
seem to be coming from any consistent IP address (or region). Problem is of
course that the mailserver's connections get tied up processing rejecting
this crap (and of course it's chewing up my transfer allocation bit by tiny
bit).
The addresses are similar to these...
IgnaciogalvestonBriggs@
DallasexhibitionAlvarado@
ReginaldFleming@
Even tried yanking the IP address off of the server over the holidays in the
hope that whatever it was would just give up. No such luck, within a minute
of reactivating the IP to the server this morning the traffic was back to
full flow.
Cheers,
>>>>> Mike <<<<<
Re: DDOS, Dictionary Attack... not sure what it is...
Posted by Bookworm <qm...@bkwm.com>.
Joseph Brennan wrote:
>
> Michelle Konzack <li...@freenet.de> wrote:
>
>>> since the server rejects unknown recipients right away.
>>
>> Here too, but it eats nearly 100% of System- and CPU-Resources...
>>
>>> It might be worth looking for a couple of addresses that get hit
>>> repeatedly and temporarily activating them
>
>> I have tried this too and it reduce the load down to 15% but they are
>> coming in realy fast
>
>
>
> I don't understand how refusing after MAIL could take 6 times as much
> resources as accepting the message. By refusing, you don't receive
> the message body and you don't have to output the message to a mailer.
> That has to use less resources than accepting. I would be taking a
> close look at what your server is doing during rejection. This just
> seems very wrong to me.
>
> Joseph Brennan
> Columbia University Information Technology
Or he could talk with the folks at SpamCop about piping those emails
straight to them for those phony addresses.
Re: DDOS, Dictionary Attack... not sure what it is...
Posted by Michelle Konzack <li...@freenet.de>.
Am 2008-01-08 10:12:28, schrieb Joseph Brennan:
> I don't understand how refusing after MAIL could take 6 times as much
> resources as accepting the message. By refusing, you don't receive
> the message body and you don't have to output the message to a mailer.
> That has to use less resources than accepting. I would be taking a
> close look at what your server is doing during rejection. This just
> seems very wrong to me.
Can it be, that the RBL lookups are screwing up?
I have installed bind9 (HP Vectra XA5, P1/200 with 384MByte) which is
there for 7 domains (over 180 sudomains and arround 800 hosts) and as
caching DNS but it seems, if I become spamed it become a bery heavy
loaded...
Normaly the load average is under 0.5 but if I become spamed over 10.
Thanks, Greetings and nice Day
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack Apt. 917 ICQ #328449886
50, rue de Soultz MSN LinuxMichi
0033/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
Re: DDOS, Dictionary Attack... not sure what it is...
Posted by Joseph Brennan <br...@columbia.edu>.
Michelle Konzack <li...@freenet.de> wrote:
>> since the server rejects unknown recipients right away.
>
> Here too, but it eats nearly 100% of System- and CPU-Resources...
>
>> It might be worth looking for a couple of addresses that get hit
>> repeatedly and temporarily activating them
> I have tried this too and it reduce the load down to 15% but they are
> coming in realy fast
I don't understand how refusing after MAIL could take 6 times as much
resources as accepting the message. By refusing, you don't receive
the message body and you don't have to output the message to a mailer.
That has to use less resources than accepting. I would be taking a
close look at what your server is doing during rejection. This just
seems very wrong to me.
Joseph Brennan
Columbia University Information Technology
Re: DDOS, Dictionary Attack... not sure what it is...
Posted by Michelle Konzack <li...@freenet.de>.
Am 2008-01-02 10:14:51, schrieb Kelson:
> Actually, it's still going on, but it doesn't have much of an impact
> since the server rejects unknown recipients right away.
Here too, but it eats nearly 100% of System- and CPU-Resources...
> It might be worth looking for a couple of addresses that get hit
> repeatedly and temporarily activating them, or even turning on a
> catch-all for 20 seconds or so, to capture some of the messages and see
> whether you're dealing with a botnet or backscatter.
I have tried this too and it reduce the load down to 15% but they are
coming in realy fast (faster then my server is which can handle without
any problems 20-30 messages a second). So if I activate "catch-all"
for 20 seconds (and I do not know, when they come in) I have immediatly
several 100 or 1000 messages on the system...
Thanks, Greetings and nice Day
Michelle Konzack
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack Apt. 917 ICQ #328449886
50, rue de Soultz MSN LinuxMichi
0033/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
Re: DDOS, Dictionary Attack... not sure what it is...
Posted by Kelson <ke...@speed.net>.
Mike Cisar wrote:
> Since about the 26th of Dec I've had one particular
> mailserver that has been dealing with a constant stream of crap... all
> emails to unknown users, all of the email addresses seem consistent (either
> 3 'syllables'... an uppercased 'syllable', a lowercased 'syllable' and
> another uppercased 'syllable'... or 2 uppercased 'syllables'). They don't
> seem to be coming from any consistent IP address (or region). Problem is of
> course that the mailserver's connections get tied up processing rejecting
> this crap (and of course it's chewing up my transfer allocation bit by tiny
> bit).
There's one more piece of data needed before you decide on a course of
action: what kind of email is being sent. Are you getting first-order
spam, or are you getting bounce messages?
If all the target addresses are in the same domain, it could be as
simple as this:
1. Spammer picks a random domain name known to exist: yours.
2. Spammer generates a bunch of random addresses at that domain.
3. Spammer sends out junk to thousands of targets using these addresses.
4. Thousands of servers send you the bounces, the sender verification
checks, etc.
This happened a couple of weeks ago with one of my domain names.
Similar pattern of addresses:
FirstnameLastname@
FirstnameRandomwordLastname@
etc.
Actually, it's still going on, but it doesn't have much of an impact
since the server rejects unknown recipients right away.
It might be worth looking for a couple of addresses that get hit
repeatedly and temporarily activating them, or even turning on a
catch-all for 20 seconds or so, to capture some of the messages and see
whether you're dealing with a botnet or backscatter.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
RE: DDOS, Dictionary Attack... not sure what it is...
Posted by Joseph Brennan <br...@columbia.edu>.
--On Monday, December 31, 2007 4:00 PM -0700 Mike Cisar
<ml...@starmania.net> wrote:
> I haven't counted, but based on the flow, I'd estimate I've seen
> about 1000 distinct IP's... that is what leads me to believe it's some
> sort of distributed attack. There are some repeat recipients, from
> different IP's at different times. Like a whole bunch of little zombies
> all working off of the same list.
That's what a spam botnet looks like. There are usually a few hundred
thousand hosts working the same list. If you have not seen this many
times before, lucky you.
Joseph Brennan
Columbia University Information Technology
RE: DDOS, Dictionary Attack... not sure what it is...
Posted by Mike Cisar <ml...@starmania.net>.
> > I'm not sure whether it's supposed to be a DDOS attack, a dictionary
> attack,
> > bunch-o-bots or what. Since about the 26th of Dec I've had one
> particular
> > mailserver that has been dealing with a constant stream of crap...
> That is, if a specific IP address tries sending to bad users more than
> X
> number of times, it then blocks that IP address from connecting at all
> for a set period of time.
That was my first thought, unfortunately I don't seem to get any more than 1
or 2 attempts from any given IP address (probably due to my server dropping
the connection based on some existing configuration I have in place). But
the same will then happen from another IP, in a different part of the world,
addressed to a different but similar non-existing address... and so on, and
so on. I haven't counted, but based on the flow, I'd estimate I've seen
about 1000 distinct IP's... that is what leads me to believe it's some sort
of distributed attack. There are some repeat recipients, from different
IP's at different times. Like a whole bunch of little zombies all working
off of the same list.
Cheers,
>>>>> Mike <<<<<
Re: DDOS, Dictionary Attack... not sure what it is...
Posted by Bookworm <qm...@bkwm.com>.
Mike Cisar wrote:
> Hi All,
>
> A bit off topic since the users are all unknown so the traffic never makes
> it to my spamassassin. But I am hoping that someone here may have seen the
> same thing and have a solution for making the problem "go-away" :-)
>
> I'm not sure whether it's supposed to be a DDOS attack, a dictionary attack,
> bunch-o-bots or what. Since about the 26th of Dec I've had one particular
> mailserver that has been dealing with a constant stream of crap... all
> emails to unknown users, all of the email addresses seem consistent (either
> 3 'syllables'... an uppercased 'syllable', a lowercased 'syllable' and
> another uppercased 'syllable'... or 2 uppercased 'syllables'). They don't
> seem to be coming from any consistent IP address (or region). Problem is of
> course that the mailserver's connections get tied up processing rejecting
> this crap (and of course it's chewing up my transfer allocation bit by tiny
> bit).
>
> The addresses are similar to these...
>
> IgnaciogalvestonBriggs@
> DallasexhibitionAlvarado@
> ReginaldFleming@
>
> Even tried yanking the IP address off of the server over the holidays in the
> hope that whatever it was would just give up. No such luck, within a minute
> of reactivating the IP to the server this morning the traffic was back to
> full flow.
>
I don't know that it will really help, but I know that on the qmail
servers that I've been building, John Simpson wrote a patch that looks
for that. It's called validrcptto. It looks for users existing on the
system before accepting any emails (using a cdb file format), and
rejects those instantly that don't exist. For situations like yours,
it has a 'strikes' rule that you can enable.
That is, if a specific IP address tries sending to bad users more than X
number of times, it then blocks that IP address from connecting at all
for a set period of time.
Whatever your MTA might be, there may be similar functionality that you
can build into the SMTPD process, or at least, that you can put in FRONT
of the SMTPD process.
Good luck with it!
Re: DDOS, Dictionary Attack... not sure what it is...
Posted by Joseph Brennan <br...@columbia.edu>.
Mike Cisar <ml...@starmania.net> wrote:
> They don't seem to be coming from any
> consistent IP address (or region). Problem is of course that the
> mailserver's connections get tied up processing rejecting this crap (and
> of course it's chewing up my transfer allocation bit by tiny bit).
>
> The addresses are similar to these...
>
> IgnaciogalvestonBriggs@
> DallasexhibitionAlvarado@
> ReginaldFleming@
I see them here too (columbia.edu). Sometimes the sender domain does
not exist, and otherwise the recipient is no good. There are not many
that get as far as a milter, but here are some. Looks like gambling.
Example 1: Rejected for a one-word HELO (i.e. it had no dots). Its
subject was "Single-hand blackjack.."
Example 2: Sender host was in Spamhaus. "Come see what it means to be
a VIP."
Example 3: Another Spamhaus catch. "Get your bonus and walk the red
carpet to winnings and fun."
Note in passing, envelope senders =~ /<[A-Z][a-z]+[A-Z][a-z]\@/ seem
to be quite rare, other than spam. I don't know what is in the header
From: since I can't find any reported to us.
The unknown senders and recipients should be a fast rejection. You can
stop at MAIL or RCPT. You can't get better than that unless you can
reject by sender IP, which is not practical with a botnet.
Joseph Brennan
Columbia University Information Technology
Re: DDOS, Dictionary Attack... not sure what it is...
Posted by "Theodoros V. Kalamatianos" <th...@softlab.ece.ntua.gr>.
On Tue, 1 Jan 2008, mouss wrote:
> Matthias Schmidt wrote:
>
> best wishes to everybody, even spam senders ;-p (but spam won't be
> tolerated, even today!).
Dunno about you, but after a significant increase in greeting card spam
today I had to rescind any wishes towards spammers that got away from me
earlier :-p.
Best wishes for all (err... okay... "everyone else") and may 2008 be a
spamless year!
Re: DDOS, Dictionary Attack... not sure what it is...
Posted by mouss <mo...@netoyen.net>.
Matthias Schmidt wrote:
> Happy New Year everyone :-)
>
> Am/On Tue, 1 Jan 2008 04:20:42 +0100 schrieb/wrote mouss:
>
>
>> John D. Hardin wrote:
>>
>>> On Mon, 31 Dec 2007, Mike Cisar wrote:
>>>
>>>
>>>
>>>> Even tried yanking the IP address off of the server over the
>>>> holidays in the hope that whatever it was would just give up. No
>>>> such luck, within a minute of reactivating the IP to the server
>>>> this morning the traffic was back to full flow.
>>>>
>>>>
>>> Tarpit 'em.
>>>
>>> http://sourceforge.net/projects/labrea
>>>
>>>
>> Tarpitting may not be the right answer, because "they" have a lot more
>> resources than us (greetpause seems to work, if you use an asynchronous
>> server or proxy, i.e. one which can do other things while "sleeping").
>>
>> you can reduce the load by having your server drop the connection when
>> it rejects the mail, using 421 code.
>> depending on the server, it may be possible to do this at connection
>> time using zen.spamhaus.org (which lists many zombies).
>>
>> It may also be good to reduce the timeout when the server is under attack.
>>
>
> but could this not also cause loosing legitimate email?
>
the timeout must be reduced to a "reasonable" value. currently, most
MTAs implement "safe" values (RFC 2821 has some recommendations about
the minimum timeout at each stage), but today the internet is faster
than it was years ago. you can sniff legitimate traffic and see that it
is much faster than your current MTA timeout values.
> my server was also under attack 2 or 3 month ago.
> I tried the same thing as the op (listing ips in the fw etc), but these
> things didn't help at all.
>
> Most of the mails (>90%) were already dropped, because the ip didn't
> resolve (cannot find your hostname), the next 9.9% were caught by
> blacklists and only a very little number was rejected, because of
> unknown user name.
> One possibility might be to do the ip-check already through a hardware-
> firewall.
>
There is one issue here: Normal MTAs would retry if you don't reject
them "properly" by the MTA. some MTAs only understand few errors, and
you mostly need to reject them at RCPT TO stage. so one needs to drop
connections from zombies before they reach the MTA (using
zen.spamhaus.org for example), and reject other clients normally.
> But one actually can't do anything against the traffic coming to one's
> "indoor".
>
> best wishes to everybody (not to the spamsenders of course ;-) for 2008
>
best wishes to everybody, even spam senders ;-p (but spam won't be
tolerated, even today!).
Re: DDOS, Dictionary Attack... not sure what it is...
Posted by Matthias Schmidt <be...@admilon.net>.
Happy New Year everyone :-)
Am/On Tue, 1 Jan 2008 04:20:42 +0100 schrieb/wrote mouss:
>John D. Hardin wrote:
>> On Mon, 31 Dec 2007, Mike Cisar wrote:
>>
>>
>>> Even tried yanking the IP address off of the server over the
>>> holidays in the hope that whatever it was would just give up. No
>>> such luck, within a minute of reactivating the IP to the server
>>> this morning the traffic was back to full flow.
>>>
>>
>> Tarpit 'em.
>>
>> http://sourceforge.net/projects/labrea
>>
>
>Tarpitting may not be the right answer, because "they" have a lot more
>resources than us (greetpause seems to work, if you use an asynchronous
>server or proxy, i.e. one which can do other things while "sleeping").
>
>you can reduce the load by having your server drop the connection when
>it rejects the mail, using 421 code.
>depending on the server, it may be possible to do this at connection
>time using zen.spamhaus.org (which lists many zombies).
>
>It may also be good to reduce the timeout when the server is under attack.
but could this not also cause loosing legitimate email?
my server was also under attack 2 or 3 month ago.
I tried the same thing as the op (listing ips in the fw etc), but these
things didn't help at all.
Most of the mails (>90%) were already dropped, because the ip didn't
resolve (cannot find your hostname), the next 9.9% were caught by
blacklists and only a very little number was rejected, because of
unknown user name.
One possibility might be to do the ip-check already through a hardware-
firewall.
But one actually can't do anything against the traffic coming to one's
"indoor".
best wishes to everybody (not to the spamsenders of course ;-) for 2008
Matthias
Re: DDOS, Dictionary Attack... not sure what it is...
Posted by mouss <mo...@netoyen.net>.
John D. Hardin wrote:
> On Tue, 1 Jan 2008, mouss wrote:
>
>
>> Tarpitting may not be the right answer, because "they" have a lot
>> more resources than us
>>
>
> I may have misunderstood what Mike was saying in his original post - I
> thought that the traffic was originating from a single IP and that was
> what he had firewalled. Later messages indicate he's being flooded by
> a botnet and he'd firewalled his local IP, so tarpitting is obviously
> a less attractive solution - but, consider: if a few thousand bots get
> snared in his tarpit, are they blocked from spamming others for as
> long as they are snared? A tarpit is as much a community defense as it
> is a personal defense.
>
This assumes that a lot of people use tarpitting, but it doesn't seem to
be so AFAIK. I don't know how botnet spamware is coded, but given the
advances in botnet practices, I would bet their "developpers" are
skilled enough to code an asynchronous client with non blocking IO. so
while keeping them connected for some time means the client system will
have more open connections, this isn't enough to get them noticed.
> Agreed, a DNSBL using the zen list is a better way to defend against a
> spambot network.
>
at least as long as zombies aren't blocked by local firewalls or by
their ISPs!
Re: DDOS, Dictionary Attack... not sure what it is...
Posted by "John D. Hardin" <jh...@impsec.org>.
On Tue, 1 Jan 2008, mouss wrote:
> John D. Hardin wrote:
> > On Mon, 31 Dec 2007, Mike Cisar wrote:
> >
> >
> >> Even tried yanking the IP address off of the server over the
> >> holidays in the hope that whatever it was would just give up. No
> >> such luck, within a minute of reactivating the IP to the server
> >> this morning the traffic was back to full flow.
> >
> > Tarpit 'em.
> >
> > http://sourceforge.net/projects/labrea
>
> Tarpitting may not be the right answer, because "they" have a lot
> more resources than us
I may have misunderstood what Mike was saying in his original post - I
thought that the traffic was originating from a single IP and that was
what he had firewalled. Later messages indicate he's being flooded by
a botnet and he'd firewalled his local IP, so tarpitting is obviously
a less attractive solution - but, consider: if a few thousand bots get
snared in his tarpit, are they blocked from spamming others for as
long as they are snared? A tarpit is as much a community defense as it
is a personal defense.
Agreed, a DNSBL using the zen list is a better way to defend against a
spambot network.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
W-w-w-w-w-where did he learn to n-n-negotiate like that?
-----------------------------------------------------------------------
144 days until the Mars Phoenix lander arrives at Mars
Re: DDOS, Dictionary Attack... not sure what it is...
Posted by mouss <mo...@netoyen.net>.
John D. Hardin wrote:
> On Mon, 31 Dec 2007, Mike Cisar wrote:
>
>
>> Even tried yanking the IP address off of the server over the
>> holidays in the hope that whatever it was would just give up. No
>> such luck, within a minute of reactivating the IP to the server
>> this morning the traffic was back to full flow.
>>
>
> Tarpit 'em.
>
> http://sourceforge.net/projects/labrea
>
Tarpitting may not be the right answer, because "they" have a lot more
resources than us (greetpause seems to work, if you use an asynchronous
server or proxy, i.e. one which can do other things while "sleeping").
you can reduce the load by having your server drop the connection when
it rejects the mail, using 421 code.
depending on the server, it may be possible to do this at connection
time using zen.spamhaus.org (which lists many zombies).
It may also be good to reduce the timeout when the server is under attack.
Re: DDOS, Dictionary Attack... not sure what it is...
Posted by "John D. Hardin" <jh...@impsec.org>.
On Mon, 31 Dec 2007, Mike Cisar wrote:
> Even tried yanking the IP address off of the server over the
> holidays in the hope that whatever it was would just give up. No
> such luck, within a minute of reactivating the IP to the server
> this morning the traffic was back to full flow.
Tarpit 'em.
http://sourceforge.net/projects/labrea
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Users mistake widespread adoption of Microsoft Office as the
development of a standard document format.
-----------------------------------------------------------------------
145 days until the Mars Phoenix lander arrives at Mars