Security Incidents mailing list archives
Re: Email attack
From: "Greg A. Woods" <woods () weird com>
Date: Mon, 5 Feb 2001 13:41:11 -0500
[ On Monday, February 5, 2001 at 12:33:15 (-0500), Kee Hinckley wrote: ]
Subject: Email attack I assume this is specific to somewhere.com--we seem to attract this kind of thing. 2001-02-01 We were under email attack (a message a second) addressed to somebody () somewhere com (a non-existent address). The attack went on for several hours until I finally blocked the two sending machines at my router.
This may not have been an "attack" per se. Some mailers (and I use that term very lightly because I'm intending to include all spam-ware in its definition) are extremely broken and will continue to try to deliver to a destination despite receiving immediate 5xx SMTP responses that "MUST" always cause an immediate bounce. I've received hundreds of connections per minute from even the likes of Netscape's mail server (though an ancient version of Apple's mailserver for MacOS was the most broken I ever encountered as it didn't even back down after an hour or so and then wait for another queue run -- it just kept spewing! Luckly that bug's been fixed in newer versions). Lsoft's NT mailer is the most recent culprit for disobeying SMTP response codes and unfortunately it's author will listen to neither logic, insults, nor threats! :-) I can't reach the first machine you mentioned at the moment so perhaps whatever's wrong with it is being addressed (or it's crashed! :-).... The second machine answers with responses that don't give me quite enough information to identify it (and clearly show that it's already in violation of RFC-821 right from the first greeting it sends), and given what it does do I wouldn't be at all surprised that it could be responsible for the connection "attack" you witnessed. Here's what I see: $ telnet 193.219.211.9 25 Trying 193.219.211.9... Connected to mx.nkm.lt. Escape character is '^]'. 220 ESMTP HELP 214 try reading large books about smtp DEBUG 502 I don't know such command... and I do not care. VERB 502 I don't know such command... and I do not care. RCPT TO:<postmaster> 503 MAIL first (#5.5.1) HELO foo 250 RCPT TO:<postmaster> 503 MAIL first (#5.5.1) MAIL FROM:<> 250 yeah rulez RCPT TO:<postmaster> 250 cool, I like it. quit 221 Connection closed by foreign host. -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods () acm org> <robohack!woods> Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>
Current thread:
- Email attack Kee Hinckley (Feb 05)
- Re: Email attack Nickola Pepelishev (Feb 05)
- Re: Email attack Greg A. Woods (Feb 05)