Security Basics mailing list archives
Re: SMTP DDoS
From: stephane nasdrovisky <stephane.nasdrovisky () uniway be>
Date: Wed, 13 Aug 2003 10:05:01 +0200
A customer suffered from this kind of ndr flooding 2 years ago. All its valid email addresses where looking like "x.y () x com". Rejecting any mail sent to "x () x com" but "info () x com" and "sales () x com" at the firewall level saved their bandwidth and administration overhead. I guess that's the kind of filter you already have implemented ? If the forged from address is one of your valid email addresses, chances are you'll have to call the police department. Anti-spam email client (netscape 7.1/mozilla 1.4) or anti-spam server based on bayasian filtering could filter out most of these ndr flood. Unfortunatly, it would not save your bandwidth.
Our customer faced this issue a few time after buying a foreign company and the flood was about 100 mails per second. It lasted about 6 months.
Kip Sr. wrote:
For the past 10 days, our mail exchange server has been getting flooded with emails. It appears that an attacker is sending out tons of spam through various open relays and using our address (sales () mycompany com) in the return path. so essentially, all bounced emails are coming back to our mail server - we're seeing about 30,000 NDRs per day. I am using filters to delete the incoming email, but does anyone else have any other ideas on how to get this stopped? Since the NDRs are coming from legitimate sources, checking for open relays wont dome any good.
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- SMTP DDoS Kip Sr. (Aug 11)
- Re: SMTP DDoS Karma (Aug 12)
- Re: SMTP DDoS stephane nasdrovisky (Aug 13)
- Re: SMTP DDoS chort (Aug 14)
- <Possible follow-ups>
- Re: SMTP DDoS Tomas Wolf (Aug 11)