[TriLUG] Strange mailserver flood
Brian Daniels
bitmage at pobox.com
Wed Apr 30 10:16:50 EDT 2008
On Wed, Apr 30, 2008 at 09:38:38AM -0400, Cristóbal Palmer wrote:
> They're trying to get you to send a DSN to whatever they've forged as
> their HELO. Some poorly-written or poorly-configured MTAs will accept
> the mail and then send a bounce rather than reject during the SMTP
> transaction. They're trying to use you as a reflector.
>
> If you settle on a good way to mitigate this attack, share it with the
> list please. Perhaps someone else has a suggestion....
Ah. That makes sense.
The attack resembles a mini-DDoS more than anything else. I haven't figured out
any method of blocking it, as it appears that each 'attacking' machine only
sends one message to us - there's just a bunch of them in the botnet.
Suggestions are welcome!
--Brian
--
Be it thy course to busy giddy minds
With foreign quarrels; that action, hence borne out,
May waste the memory of the former days.
Henry IV, Part 2
Brian Daniels bitmage at pobox.com
http://www.eviloverlord.net
More information about the TriLUG
mailing list