RE: Denial of Service via UCE

To: "Pulu 'Anau" <pulu@afe.to>
Cc: <debian-isp@lists.debian.org>
Subject: RE: Denial of Service via UCE
From: "Greg Wright" <greg@wc.net.au>
Date: Sat, 1 Feb 2003 00:17:15 +1100
Message-id: <DFC99A12E27852488E3A75A113773EB54B0C@mail.wc.net.au>

This issue happened with us.

Your ONLY solution is to try and co-locate a server upstream from your
site, run a NIX based server (I am a windows guy, Im not evangelising,
its just Windows apps are (mostly??) all based on the IIS SMTP mail
sink, and have to accept the ENTIRE message before being able to filter
its content.. Useless..)

You want to attempt to identify the spam by its content as early in the
transfer as possible. For us, we did it by creating a list of valid
email addresses, and rejecting EVERYTHING else. We also tried, but
weren't overly successful with basic content filtering using Sendmail.

The result, instead of receiving a 7kb spam undeliverable, we received a
few hundred bytes of the header data until we got the MAIL
TO:INVALIDUSER@DOMAIN.COM detected it as an invalid incoming message and
dropped it immediately.

This way, we limited the exposure, we stopped the cost from bearing on
us, we also stopped the link saturation.

We also tried Snort with on-the-fly PIX rules, but this is unworkable as
the number of hosts cause the PIX to take longer to apply the ACL's that
is workable. The theory was great, mind you. Pity SMTP is designed to
try and get around an uncontactable mail server and just passed the
message to our backup MX (hosted offsite for redundancy)

Do NOT accept that it will go away in a few days. Our issue lasted over
2 months. Solid. (We logged 2Gb of data in the first few hours of the
problem occurring. Filled the disks on our Exchange mail server after
another few hours, despite the Network Associates Webshield system being
able to handle the deluge, exchange just didn't cope!

I still have a screenshot of the number of messages we received during
the most busy hour. Which was well over the tens of thousands... (at 7k
per message average)

Our logfiles had to be cleaned almost daily to reduce the amount of disk
space consumed by logs alone.

This is one of the most unbelievably effective DOS attacks, because most
all SMTP servers are already willing 'zombies' waiting to attack a host,
and the SMTP protocol was designed to not give up easily. So, a single
message can rety a number of times, multipled by the number of hosts
trying to send email and its pretty obvious how damaging this can be..

I truly feel for your situation.

Regards,
Greg

-----Original Message-----
From: Peter Billson [mailto:pete@elbnet.com] 
Sent: Friday, 31 January 2003 5:33 AM
To: Pulu 'Anau
Cc: debian-isp@lists.debian.org
Subject: Re: Denial of Service via UCE

Pulu,
  You may want to ask someone with a fatter pipe to act as your MX where
they can bit-bucket the UCE then forward on the good stuff to you.

Pete
-- 
http://www.elbnet.com
ELB Internet Service, Inc.
Web Design, Computer Consulting, Internet Hosting

Pulu 'Anau wrote:
> 
> Hi, this is not particularly a debian related question but this is the
> most knowledgable list that I track, and I hope someone here might
have a
> "miracle answer" that we can't think of.

-- 
To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org

Reply to:

Prev by Date: Re: Exim and LDAP
Next by Date: Re: Time servers (ntp) wanted
Previous by thread: Re: Denial of Service via UCE
Next by thread: Limit data traffic on Apache virtual hosts
Index(es):
- Date
- Thread