We saw the same thing this morning between 7:00 AM (GMT-0500) and about 8:30
AM. Big chunks were getting through (spam detection rate dropped to about
65-70% (from its normal 97-99%). Sniffer updates seemed to start quelling
the attack after about an hour of getting pummeled.
Because of the relatively short lifespan of these types of attacks you need
to:
1) be aware of attack quickly
- e.g. w/in 10-15 mins of seeing average detection rates drop below a
certain threshold (maybe 85%?)) and
2) be able to determine if there is an easy way to ID the leaked messages
(common source IP(s), From domains (SPF check would help), subject lines,
etc)
3) then be able to create a temporary rule to help block messages
- must be viable until SNF has an updated ruleset to start clearing out
the attack
- I don't think declude (what I use w/SNF) has rule expirations (but
would be a nice feature)
Paul ---
> -----Original Message-----
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
> Behalf Of Alberto Santoni
> Sent: Friday, January 04, 2008 4:56 PM
> To: Message Sniffer Community
> Subject: [sniffer] I got a strong attack today
>
> Hello
>
> I got a strong attack today, over thousand messages at the same time!!
> The usual technique:
> Impersonate the victim and send to non valid users of one domain of
> mine!!
> Changing IP for each message.... UNBELIEVABLE!!
>
> The only solution was, to stop all the services and move all the spool
> files in a temp directory.
>
> I won't use the "nobody" alias because at least the iMail Access
> Control
> can stop some bad IPs.
>
> My config is:
> Imail 9.23
> Mxguard 3.1
> Message Sniffer
> InvURIBL 3.7
>
> Two questions:
>
> 1) There is a way or tool to recycle back good messages from the temp
> directory into the queue?
> 2) How can I reduce or block(!) this kind of attacks?
>
> With my best regards
> Alberto
>
>
>
>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list <[email protected]>.
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <sniffer-
> [EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to <[EMAIL PROTECTED]>
>
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[email protected]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
