Date: Fri, 07 Jun 2002 09:27:22 -0500 From: "Jack L. Stone" <jackstone@sage-one.net> To: freebsd-questions@freebsd.org Subject: List email bomb Message-ID: <3.0.5.32.20020607092722.00fc2288@mail.sage-one.net>
next in thread | raw e-mail | index | archive | help
Yesterday morning, one of our lists were subjected to a sort of a "flood
attack" or mail bomb which was apparently using the majordomo "help"
command most likely run by a batch program by the attacker. The Log file
was filled with hundreds of the following "help" commands froma a single
source. The help command in turn was creating a flood of jobs in the
sendmail queue. I would kill the job and another would appear (before I
figured out what was happening).
<snip/>
Jun 06 12:31:31 ten-ten.org majordomo[34487] {"MUHARREM TOY"
<muharremt@anadolu.edu.tr>} help
Jun 06 12:31:39 ten-ten.org majordomo[34498] {"MUHARREM TOY"
<muharremt@anadolu.edu.tr>} help
Jun 06 12:31:47 ten-ten.org majordomo[34509] {"MUHARREM TOY"
<muharremt@anadolu.edu.tr>} help
Jun 06 12:31:55 ten-ten.org majordomo[34521] {"MUHARREM TOY"
<muharremt@anadolu.edu.tr>} help
Jun 06 12:32:05 ten-ten.org majordomo[34536] {"MUHARREM TOY"
<muharremt@anadolu.edu.tr>} help
</snip>
I was able to stop it be stopping the sandmail daemon, deleting the jobs
from the mqueue, placing a block of the bomber's IP (193.140.20.20) in the
firewall to break the loop. Then restarted the sendmail daemon. I waited
for a while and then opened up the FW again... it started the attack again.
I placed the FW block back and left it overnight. Today, so far no attacks
after removing the block.
Has anyone else experienced this...??? ...and, if so, what did you do...??
Best regards,
Jack L. Stone,
Administrator
SageOne Net
http://www.sage-one.net
jackstone@sage-one.net
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.20020607092722.00fc2288>