>>This is a dictionary attack, it looks like. Really not a lot you
>>can do at the Imail level except bend over and take it DoS up
>>l'arrierre (pardon my French, and if the sending ip address keeps
>>changing over more than one ip block, you can't block at the
>>router. The sending MTA ip address is probably spoofed anyway.
>
>If Relay For Addresses is used, can they still do this?
yeah, sure. They aren't trying to hijack an open relay (that's only
one kind of abuse). This abuse is sending a dictionary of names to
an Imail local domain, totally different situ.
>Will IMail look at each message and write an error to the log or
>just ignore if it's not coming from a specified IP?
Imail get DoS'd by having to look up each and every "RCPT TO:
recipient@" in the internal/external Imail user database to decide to
accept or reject "recipient@".
And of course, if SMTP logging is turned on, Imail will dutifully log
each and every "unknown user" rejection. And as we saw in his logs,
if "max RCPT TO: per session" limit is setr and exceeded, rather than
disconnect the SMTP brutally, Imail politely rejects and logs each
(valid/invalid) recipient@ beyond the limit, continuing the DoS at
full SPAM speed.
The size of the log files explodes to 100's of mb's, as he reported.
But as we've seen here many times, this kind of DoS attack isn't too
bad usually only since so many Imail servers are running essential
idle 90+ % of time, so he detected the attack by the size of the log
files, not by the slowness of Imail.
If the attacker is running only one SMTP client on his end, then he's
only going to get one SMTPD session at a time from Imail which isn't
going to DoS Imail, unless Imail is already hurting.
But if the attacker runs 50 SMTP clients into Imail with each of his
SMTP client processes attacking/DoS-sing, then I think your Imail box
is going to be prostrate no matter how many MHz you have. He will
consume every available Imail SMTPD process and no other mail will
arrive/leave, even if the Imail box has some MHz to spare.
Look at the rate which Keith's was logging stuff:
12:30 13:32 SMTPD(06CE0102) [63.27.13.182] ERR spacey.net invalid user
<[EMAIL PROTECTED]
His entire log snippet of 100+ rejects was within the single minute
13:32 and I bet he didn't show us all the rejects for that
minute. That's 6000+ per hour and PER JUST ONE IMAIL SMTPD
process. Now imagine if the attacker had 25 SMTP clients hitting
Imail, that 25 x 6000 = 150,000 rejects/hour, and 300,000 log lines.
When Imail's "max msgs per session" is exceeded, it should just stop
responding after Imail returns "550 unknown user" or "571 access
denied" and hang up the SMTPD session. Otherwise, the Imail keeps
letting itself be DoS-ed, it looks like.
Len
http://BIND8NT.MEIway.com : Binary for ISC BIND 8.2.3 T9B for NT4 & W2K
http://IMGate.MEIway.com : Build free, hi-perf, anti-spam mail gateways
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
