Sorry for the length of this post and its slightly off-topic nature. But it
does concern all qmail users in that it demonstrates an easy and effective
attack against a qmail server.
I have been hit for the second time in several months by an email address
harvester. The attacker sends multiple emails to my mail server. Each
email has 25 recipients with every name you can imagine, mostly in
alphabetically order (see bounce below). I believe they then compare the
bounces ( [EMAIL PROTECTED] in this case), against the database of
addresses that were sent to, resulting in a list of valid email addresses of
my users.
Because the incoming volume is low, maybe only 75 items per minute, it
raises no flags, and because there are only 25 recipients per message, that
doesn't raise a flag either. However this results in about 15,000
deliveries for qmail-smtpd if this pace is maintained for about 40 minutes
as it was last night. I chart qmail deliveries on MRTG and was tipped off
by seeing about 1900 deliveries each 5 minutes continuing for 40 minutes.
(normal for me is about 50 deliveries/5 mins).
Of course this type of volume does not cause a bit of trouble with my
reliable and highly capable qmail server, but horrible damage is being done
to my customers. By the time I can analyze the problem and notify the
company where the attacker is set up, the damage is already done and my
users will suffer the consequences for years to come.
Below is sample letter, that actually gets through, as well as a clip from
qmail-qread that shows one of the items still queued up (stuck in the queue
because I had chmod 0 .qmail-bin after this happened before as I had started
getting spam mail to [EMAIL PROTECTED] ) Also below is a snip of logs from
qmail-smtpd. It appears that the sending IP (207.190.23.59) is bogus. I
get no information on a reverse lookup.
I don't see any way to stop this type of attack other than to be able to
deny a connection from any IP address that does not have a valid MX record,
or at least a valid reverse lookup. But I have not figured out how to do
that.
Thanks for any comments or suggestions on how to overcome this problem.
Dennis Duval
****************************************
This is what a letter looks like if it actually gets delivered to one of my
users
****************************************
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 6006 invoked from network); 1 May 2000 08:20:35 -0000
Received: from unknown (HELO viola) (207.190.23.59)
by mail.seacove.net with SMTP; 1 May 2000 08:20:35 -0000
Message-ID: < 447410@ 423984>
From: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Bcc:
Date: Mon, 01 May 2000 01:41:19 -0400 (EDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
*****************************************
Snip below is from qmail-qread showing a bounce message that actually hung
because I had changed the permissions on the file .qmail-bin. This shows
plainly that the bounce message is returning to [EMAIL PROTECTED] If
it was an invalid address, these items would have double-bounced into a
specified maildir, and there are no doublebounces to [EMAIL PROTECTED]
in that maildir. This message shows how one message is set up to mail to
multiple recipients so that any address which is not legitimate is bounced
to a harverster.
*****************************************
1 May 2000 08:26:07 GMT #212330 415 <[EMAIL PROTECTED]> bouncing
done local [EMAIL PROTECTED]
done local [EMAIL PROTECTED]
done local [EMAIL PROTECTED]
done local [EMAIL PROTECTED]
done local [EMAIL PROTECTED]
done local [EMAIL PROTECTED]
done local [EMAIL PROTECTED]
done local [EMAIL PROTECTED]
done local [EMAIL PROTECTED]
done local [EMAIL PROTECTED]
done local [EMAIL PROTECTED]
done local [EMAIL PROTECTED]
done local [EMAIL PROTECTED]
local [EMAIL PROTECTED]
done local [EMAIL PROTECTED]
done local [EMAIL PROTECTED]
done local [EMAIL PROTECTED]
done local [EMAIL PROTECTED]
done local [EMAIL PROTECTED]
done local [EMAIL PROTECTED]
done local [EMAIL PROTECTED]
done local [EMAIL PROTECTED]
done local [EMAIL PROTECTED]
done local [EMAIL PROTECTED]
done local [EMAIL PROTECTED]
**********************************************
snip below from qmail-smtpd log. This is the first entry that shows
up in the logs during the event
**********************************************
2000-05-01 03:19:53.350211 tcpserver: pid 5424 from 207.190.23.59
2000-05-01 03:19:53.948779 tcpserver: status: 3/40
2000-05-01 03:19:53.950027 tcpserver: pid 5425 from 207.190.23.59
2000-05-01 03:19:54.735180 tcpserver: ok 5425
mail.seacove.net:206.162.105.15:25 :207.190.23.59::4698
2000-05-01 03:19:59.242080 tcpserver: ok 5424
mail.seacove.net:206.162.105.15:25 :207.190.23.59::4695
