On Jan 8, 2005, at 9:55 PM, Chris Drake wrote:
I'm just wondering if it's a hacker targeting me, or a virus hitting
everyone - someone's using "broken" MTAs to "bounce" millions of
emails at all my servers for the last month or so.
Targeting you, yes. For a reason? possible, but unlikely...
'tis called a joe job and you are a backscatter victim. While there is
a good reason that the "legit" mail server wouldn't reject mail because
of your SPF records (forwarding problems, no finalized RFC, lack of
commercially pushed implementations, etc. etc.), there is certainly no
good reason for the server to accept and then bounce mail to
non-existent users (thus inducing backscatter).
I am guessing that this attack is mounted like this:
A) Perpetrator connects to any real mail server
B) Perpetrator fakes a MAIL FROM: an email address of my server (which
does not exist - and the pattern seems to be that they're choosing
a deliberately non-existent address: I don't know why). mail
server chooses not to do SPF, so accepts this lie.
C) Perpetrator sends a RCPT TO: an email address on the real mail
server (which deliberately does not exist I expect)
D) The real "misconfigured" mail server somehow this email
(my guess is that they're trying to prevent dictionary attacks?)
I assume you mean "somehow accepts this email". There are a large
variety of ways to prevent dictionary attacks aside from the
irresponsible approach of accepting and then rejecting.
E) That mail server then originates a "bounce" for this faked email
back to my server. Thousands of different legitimate mail servers
are doing this, so my mail servers get swamped by crap that's
impossible for me to firewall or block (because it's a real
legitimate mail server "attacking" me). It's also impossible to
reliably (or at all) work out the IP address of the attacker.
If you know all the IP addresses that originate messages for which you
should receive legitimate bounces you can scan the Received headers on
the MDN messages you receive and look for your IPs. If they aren't
there, then you didn't send it and you can discard it. Running a mail
server that allows you to do this inline in the DATA phase of the SMTP
transaction before it hits disk means it will only tax you bandwidth
and not your server too much.
// Theo Schlossnagle
// Principal Engineer -- http://www.omniti.com/~jesus/
// OmniTI Computer Consulting, Inc. -- http://www.omniti.com/
// Ecelerity: fastest MTA on Earth