SUMMARY: URGENT: DoS via sendmail

From: Mike's List (mikelist@sky.net)
Date: Sat Jun 14 2003 - 00:09:04 EDT

• Next message: Neil Martin: "SUMMARY: qfe on a sun ultraii"
• Previous message: Mike's List: "URGENT: DoS via sendmail"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Special thanks to the following:

George Schlossnagle, David Luyer, sunguy, and Andrew J Caines.

George mentioned to /usr/sbin/snoop port 25 and sunguy mentioned
to netstat -an to shows the IP (my mail.log does not shows the IP)
and then do "route add -host <IP> 127.0.0.1" or at the router.
I decided to do at the router (Cisco).

I then do "ip route 200.101.197.0 255.255.255.0 Null0" at the router
and now the server load seems to go down drastically. netstat -an shows
a bunch of...

mail.25 200.101.197.216.4910 0 0 10080 0 SYN_RCVD
mail.25 200.101.197.216.4910 0 0 10080 0 SYN_RCVD

Guess when you can't type at your console and stop/start sendmail,
it's hard to come up with a solution. Thanks again guys.

*whew* I'm glad someone is reading the list on a Friday night...

- Mike

---------- original message ----------

Jun 13 22:10:55 pulsar sendmail[821]: WAA00821: <arxc@sky.net>... User
unknown
Jun 13 22:10:55 pulsar sendmail[790]: WAA00790: <arxf@sky.net>... User
unknown
Jun 13 22:10:55 pulsar sendmail[783]: WAA00783: <arxh@sky.net>... User
unknown
Jun 13 22:10:55 pulsar sendmail[777]: WAA00777: <arx1@sky.net>... User
unknown
Jun 13 22:10:55 pulsar sendmail[809]: WAA00809: <arxd@sky.net>... User
unknown
Jun 13 22:10:55 pulsar sendmail[767]: WAA00767: <arx93@sky.net>... User
unknown
Jun 13 22:10:55 pulsar sendmail[808]: WAA00808: <arxe@sky.net>... User
unknown
Jun 13 22:10:55 pulsar sendmail[778]: WAA00778: <arxf@sky.net>... User
unknown
Jun 13 22:10:55 pulsar sendmail[770]: WAA00770: <arxer@sky.net>... User
unknown
Jun 13 22:10:55 pulsar sendmail[789]: WAA00789: <arxg@sky.net>... User
unknown

Some system/one is going through some sort of list in attempt to spam
our users. However, this is taking a toll on the server, above is from
my mail.log --how can I determine where the e-mail is coming from to
stop and/or filter out the culprit, the above doesn't shows the source.

Hope this makes it to the list, system load is at 30+ and typing in a
character practically took several seconds...I'm sitting here stop/start
sendmail to lower the load and to type for help. Thanks.

- Mike
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: Neil Martin: "SUMMARY: qfe on a sun ultraii"
• Previous message: Mike's List: "URGENT: DoS via sendmail"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:26:35 EDT