here an example heder of how such a post looks like. because the mails are comming from various server, like ibm.com, compaq, yahoo, companies all over the world, blocking IP's will not make sence. i think we should call this a bounce attack, because that is eventually what happends... send out mails with wrong adresses to millions of computers and give a wrong adress and mail heder with... what happends.. it bounces and the attack heads it's way to the requiret target. here now the example. he send the mail to the stanford mailserver and it bounces.. to me.
From MAILER-DAEMON@lagu.sidhe.net Sat Nov 2 09:33:47 2002 Return-Path:
Received: from bouncemail.stanford.edu (bouncemail.Stanford.EDU [171.64.14.35]) by lagu.sidhe.net (8.11.6/8.11.6/SuSE Linux 0.5) with SMTP id gA28XcA00319 for ; Sat, 2 Nov 2002 09:33:46 +0100 Received: (qmail 13328 invoked by uid 80); 2 Nov 2002 03:46:34 -0000 Date: 2 Nov 2002 03:46:34 -0000 Message-ID: <20021102034634.13324.qmail@bouncemail.stanford.edu> To: lobo@0-8-15.ch From: Stanford Bounce Mail Daemon Subject: Undelivered mail for boe@stanford.edu Precedence: junk MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="13292.1036208794/bouncemail.stanford.edu" X-Bounce-Agent: Stanford Email Bounce
--13292.1036208794/bouncemail.stanford.edu Your message to: boe@stanford.edu regarding: Be Bold And Courageous could not be delivered because it is not a valid Stanford email address. Perhaps you're trying to reach: Robert Boeninger, Prin Systems Software mailto:boe@SLAC.Stanford.EDU You might be able to find the email address you need by looking through Stanford's online Directory: WWW: http://stanfordwho.stanford.edu/ finger: finger user@whois.stanford.edu whois: whois -h whois.stanford.edu user If this doesn't work, note that at Stanford people are in charge of maintaining their own email information. Those you seek may have chosen not to make their Directory information public, or may have committed a typo when entering their email address(es) into the system. We recommend that you attempt to contact them via other means. This note was generated automatically by a computer program. Please do not reply to it. Responses will be discarded. If you wish to communicate with someone about your bounced message, please send mail to postmaster@stanford.edu. Your original message has been appended below. --13292.1036208794/bouncemail.stanford.edu Content-Type: message/delivery-status Reporting-MTA: dns; bouncemail.stanford.edu Received-From-MTA: dns; stanford.edu Final-Recipient: rfc822; boe@stanford.edu Action: failed Status: 5.1.1 --13292.1036208794/bouncemail.stanford.edu Content-Type: message/rfc822 Received: (qmail 13286 invoked from network); 2 Nov 2002 03:46:30 -0000 Received: from leland3.stanford.edu (171.64.14.90) by bouncemail.stanford.edu with SMTP; 2 Nov 2002 03:46:30 -0000 Received: from leland3.Stanford.EDU (localhost [127.0.0.1]) by leland3.Stanford.EDU (8.11.6/8.11.6) with ESMTP id gA23kSs24136; Fri, 1 Nov 2002 19:46:29 -0800 (PST) Received: from 1012privat.at (ip-170-149-113.xdsl-fixo.ctbcnetsuper.com.br [200.170.149.113]) by leland3.Stanford.EDU (8.11.6/8.11.6) with SMTP id gA23i3U23625; Fri, 1 Nov 2002 19:44:39 -0800 (PST) From: lobo@0-8-15.ch X-Priority: 3 Received: from 1012privat.at by 0AEO3V.1012privat.at with SMTP for nephron@leland.stanford.edu; Fri, 01 Nov 2002 22:39:54 -0500 Message-Id: <1VCK7GOQ28UQJ5I56.0PY9VQ1UBY7OI.lobo@0-8-15.ch> Reply-To: nephron@24hours.gr To: nephron@Stanford.EDU Date: Fri, 01 Nov 2002 22:39:54 -0500 Content-Type: text/plain; charset="iso-8859-1" Subject: Be Bold And Courageous Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 PARENTS OF 15 - YEAR OLD - FIND $71,000 CASH HIDDEN IN HIS CLOSET!= any ideas? -----Original Message----- From: Miguel Albuquerque [mailto:mfoacs@e-workshop.ch] Sent: Saturday, November 02, 2002 9:49 AM To: Evert Smit Cc: suse-security@suse.com Subject: Re: [suse-security] DOS on sendmail daemon Evert Smit wrote:
John,
since the attache is comming from multiple servers, i cannot blcok a single IP. and the acess.db file would still require sendmail to at least look at the incomming mail.i.e starting aprocess for it. i need something that happends before the mail reaches the sendmail process... sort of like a gate keeper, that checks the mail recipient and checks if it's aviable or not, before it hads it to sendmail for delivery.
But you can block an IP range ie. 192 REJECT will block all network 192.x.x.x. -- .-. e-SecureNet /v\ We Run SuSE Project Manager // \\ *The LINUX Experts* c/o Miguel Albuquerque /( )\ Av. Miremont 46 ^^-^^ 1202 - GE, SWITZERLAND Tel: +41 (22) 782 5344 Fax: +41 (22) 782 5348 mailto:mfoacs@e-securenet.ch http://www.e-securenet.ch -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here