SUMMARY: URGENT: DoS via sendmail

From: Mike's List <mikelist_at_sky.net>
Date: Sat Jun 14 2003 - 00:09:04 EDT
Special thanks to the following:

George Schlossnagle, David Luyer, sunguy, and Andrew J Caines.

George mentioned to /usr/sbin/snoop port 25 and sunguy mentioned
to netstat -an to shows the IP (my mail.log does not shows the IP)
and then do "route add -host <IP> 127.0.0.1" or at the router.
I decided to do at the router (Cisco).

I then do "ip route 200.101.197.0 255.255.255.0 Null0" at the router
and now the server load seems to go down drastically.  netstat -an shows
a bunch of...

mail.25       200.101.197.216.4910     0      0 10080      0 SYN_RCVD
mail.25       200.101.197.216.4910     0      0 10080      0 SYN_RCVD

Guess when you can't type at your console and stop/start sendmail,
it's hard to come up with a solution.  Thanks again guys.

*whew* I'm glad someone is reading the list on a Friday night...


- Mike


---------- original message ----------

Jun 13 22:10:55 pulsar sendmail[821]: WAA00821: <arxc@sky.net>... User
unknown
Jun 13 22:10:55 pulsar sendmail[790]: WAA00790: <arxf@sky.net>... User
unknown
Jun 13 22:10:55 pulsar sendmail[783]: WAA00783: <arxh@sky.net>... User
unknown
Jun 13 22:10:55 pulsar sendmail[777]: WAA00777: <arx1@sky.net>... User
unknown
Jun 13 22:10:55 pulsar sendmail[809]: WAA00809: <arxd@sky.net>... User
unknown
Jun 13 22:10:55 pulsar sendmail[767]: WAA00767: <arx93@sky.net>... User
unknown
Jun 13 22:10:55 pulsar sendmail[808]: WAA00808: <arxe@sky.net>... User
unknown
Jun 13 22:10:55 pulsar sendmail[778]: WAA00778: <arxf@sky.net>... User
unknown
Jun 13 22:10:55 pulsar sendmail[770]: WAA00770: <arxer@sky.net>... User
unknown
Jun 13 22:10:55 pulsar sendmail[789]: WAA00789: <arxg@sky.net>... User
unknown

Some system/one is going through some sort of list in attempt to spam
our users. However, this is taking a toll on the server, above is from
my mail.log --how can I determine where the e-mail is coming from to
stop and/or filter out the culprit, the above doesn't shows the source.

Hope this makes it to the list, system load is at 30+ and typing in a
character practically took several seconds...I'm sitting here stop/start
sendmail to lower the load and to type for help.  Thanks.


- Mike
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Sat Jun 14 00:12:22 2003

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:12 EST