[Exim] SPAM Attack

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Ron McKeating
Fecha:  
A: Exim-Users (E-mail)
Asunto: [Exim] SPAM Attack
Redhat 9 box running exim 4.24 and exiscan, spamassassin-2.53

Yesterday one of our main mailrouters was spammed to death, here are
some of the details

For your info these are the machines that attacked yesterday.

The sender email address in every case was info@???

H=(ajax.cnchost.com) [207.155.248.31]
messages from here completed ok if valid local user
H=(he103war.uk.vianw.net) [195.102.244.134]
messages from here completed ok if valid local user
(he105war.uk.vianw.net) [195.102.244.137]
messages from here completed ok if valid local user
(he106war.uk.vianw.net) [195.102.244.137]
messages from here completed ok if valid local user
H=(he102war.uk.vianw.net) [195.102.244.133]
messages from here completed ok if valid local user
H=(mx0.123-reg.co.uk) [212.67.202.235]
messages from here completed ok if valid local user
formidable.cnchost.com [207.155.248.60]
connection refused
H=audacious.cnchost.com [207.155.252.66]
messages from here completed ok if valid local user
H=indefatigable.cnchost.com [207.155.248.27]
messages from here completed ok if valid local user or
Connection reset by peer
H=inflexible.cnchost.com [207.155.252.24]
messages from here completed ok if valid local user
H=excellent.cnchost.com [207.155.252.34]
messages from here completed ok if valid local user
H=intrepid.cnchost.com [207.155.248.50]
messages from here completed ok if valid local use
H=(rodney.cnchost.com) [207.155.252.4]
messages from here completed ok if valid local use
H=irresistable.cnchost.com [207.155.248.34]
messages from here completed ok if valid local use
H=impregnable.cnchost.com [207.155.252.95]
Connection reset by peer

There were 1672 emails sent between 2003-11-12 13:21:17 and 2003-11-12
14:30:20

several of the above machines were sending the same spam simultaneously.

The server failed with
Failed to get write lock for /usr/local/exim/spool/db/retry.lockfile:
timed out (218 errors)

Warning: ACL "warn" statement skipped: condition test deferred: (1383
errors)

spam acl condition: spamd connection to 127.0.0.1, port 783 failed:
Connection timed out (1383 errors)

A dig on cnchost.com gives the following

;; ANSWER SECTION:
cnchost.com.            900     IN      A       207.155.252.97
cnchost.com.            900     IN      A       207.155.248.12
cnchost.com.            900     IN      A       207.155.252.4
cnchost.com.            900     IN      A       207.155.252.18



Be on your guard. Our machine melted(it was already very busy) and the
initrd dir disappeared leading to a kernel panic, we had to bring it up
with a rescue disk and manually recreate initrd.


/Ron

--
Ron McKeating
Senior IT Services Specialist
Internet Services and Software Solutions
Loughborough University
01509 222329