I'm afraid there's not much you can do about this one. These are liable to come from all over the place, many being legitimate operations that you have to accept mail from. Probably the best bet is to be a good mail netizen and ensure that your system does what it can to not send out bounces from spam or viruses that use forging addresses. If all of us do that, then this problem should be minimal.
Darin. ----- Original Message ----- From: "Scott Smith" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, April 09, 2004 12:03 PM Subject: Re: [IMail Forum] Are we vulnerable Okay, which is basically what I said (except that the original email doesn't come to your server, but to another server). The point being, all the thousands of bounced messages still come to your server. Isn't that what the whole problem is? How would you block all those thousands of bounced messages from coming at your server? Scott Smith - IT Manager Westside & Detroit Reprographics 248.489.1999 (Office) 248.467.0452 (Cell) [EMAIL PROTECTED] ----- Original Message ----- From: "Darin Cox" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, April 08, 2004 11:35 PM Subject: Re: [IMail Forum] Are we vulnerable > Not quite...the situation is this > > - Email gets sent out from another source. > - Email has a large number of cc and/or bcc addresses > - Return address for the email is a forged address on your server > > Result: all of the bounces, flames, etc. come back to you (from each > individual recipient/mail server) via the forged from address. > > So the threat is a single source email could result in a large number of > emails targeted at a particular address. > > Darin. > > > ----- Original Message ----- > From: "Scott Smith" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, April 08, 2004 11:01 PM > Subject: Re: [IMail Forum] Are we vulnerable > > > Okay, since I am relatively new to email adminstration, please help me > clarify something. > > I read the original message of this thread as saying that someone could send > a single email to your server, and in that email could be thousands of bad > email addresses to cc the email message to. So then all of a sudden your > server would start receiving the same thousands of bounced email messages > back to it (because the original message would somehow disguise it so that > your server was implicated as the sender of all those bad messages). Did I > read that correctly? > > If that was the case, then wouldn't you have to find a way to block all of > those thousands of "bounced" email messages hitting your server (which would > probably be coming from thousands of IP addresses)? > > Please, correct me if I'm wrong - I'm really only a newbie... > > Scott Smith - IT Manager > Westside & Detroit Reprographics > 248.489.1999 (Office) > 248.467.0452 (Cell) > [EMAIL PROTECTED] > > ----- Original Message ----- > From: "Nick Hayer" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, April 08, 2004 6:26 PM > Subject: Re: [IMail Forum] Are we vulnerable > > > > On 8 Apr 2004 at 18:12, Scott Smith wrote: > > > > > Actually, if I'm not mistaken, it would be hundreds, or thousands, of > > > IPs hammering you with unwanted email. > > A daily occurance... > > > > I believe Mark was referring to a single server doing a joe job hense > > my comment of dynamically block an "IP"; for clarification - > > dynamically block multiple ip's once a certain threshold over time of > > unwanted emails arrives. Configurable X time and X amount. If w/DJM > > then by time and X weight. The latter is kinda a 'blend' of DJM and > > DHijack. [non-existent but would be neat] > > > > -Nick Hayer > > > > > > > > > > > > Scott Smith - IT Manager > > > Westside & Detroit Reprographics > > > 248.489.1999 (Office) > > > 248.467.0452 (Cell) > > > [EMAIL PROTECTED] > > > > > > ----- Original Message ----- > > > From: "Nick Hayer" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Thursday, April 08, 2004 5:59 PM > > > Subject: Re: [IMail Forum] Are we vulnerable > > > > > > > > > > On 8 Apr 2004 at 16:46, Mark wrote: > > > > > > > > > This is a disturbing story. How can we configure our servers to > > > > > prevent this? > > > > > > > > Turning off the NOBODY alias would be helpful right off. I do not > > > > know a way to dynamically block an IP that hammers you with unwanted > > > > mail but that would be a nice feature.. > > > > > > > > -Nick Hayer > > > > > > > > > > > > > > > > > > > > > Mark > > > > > > > > > > > > > > > It is easy even your granny could do it > > > > > > > > > > By<mailto:[EMAIL PROTECTED]> INQUIRER staff: Thursday 08 > > > > > April 2004, 07:49 EXPERTS IN "computer security" have worked out a > > > > > simple way to knock out any email server. > > > > > > > > > > A team at NGS Software said that the trick involves sending forged > > > > > emails that contain thousands of incorrect addresses in the "copy > > > > > to" fields. > > > > > > > > > > When this package is sent, huge quantities of unwanted email will > > > > > be sent to another mail server. > > > > > > > > > > All it takes is finding a server configured to return an email > > > > > with attachments to each incorrect address. Next you have to forge > > > > > an email so it appears to come from the mail server that is to be > > > > > the target. > > > > > > > > > > When the forged email, complete with the thousands of incorrect > > > > > addresses is sent, an avalanche of "bounced" messages sent to the > > > > > target server causes it to crash. > > > > > > > > > > According to New Scientist, with one little 10K email, hackers > > > > > could then send 100MB back to a server. > > > > > > > > > > A third of the email servers of all Fortune 500 companies are, it > > > > > appears, open to this kind of attack. If the hacker used an > > > > > insecure email server the attack would be virtually untraceable. > > > > > Oh great. > > > > > > > > > > > > > > > --- > > > > > [This E-mail scanned for viruses courtesy of Netslyder, > > > > > Inc.(http://www.netslyder.net)] > > > > > > > > > > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > > > > > List Archive: > > > > > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > > > > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > > > > List Archive: > > > > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > > > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > > > > > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > > > List Archive: > > > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge > > > Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > > > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > > List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
