Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: Mail Server attack
From: oogali () INTRANOVA NET (Omachonu Ogali)
Date: Wed, 8 Mar 2000 10:26:47 -0500

The program possibly used that has that signature is at:
http://tribune.intranova.net/archives/spurf.c

It spoofs a message from a victim address to several nonexistant addresses
at a specified bounce point resulting in several error messages with
random characters being sent to the victim's mailbox.

Sample 'Life':
# -- Pass a list of bouncepoints
echo "reallyfastmailhost1.com" >> file.o.bouncepoints
echo "reallyfastmailhost2.com" >> file.o.bouncepoints
echo "reallyfastmailhost3.com" >> file.o.bouncepoints
echo "reallyfastmailhost4.com" >> file.o.bouncepoints

# -- Run spurf to send NM messages to each bouncepoint consisting of
#    NR bytes of random data.
./spurf -t victim () victim com -f file.o.bouncepoints -n NM -s NR

Now here, the program traverses through each bouncepoint sending NM forged
e-mails like this:

-- snip --
HELO tribune.intranova.net
MAIL FROM: victim () victim com
RCPT TO: NNNNNNNN () reallyfastmailhost1 com
DATA
(random data here)
.
QUIT
-- snip --

NNNNNNNN is a random number.

There's two logical ways I can think of stopping it off the top of my
head. One, deny anything that passes a HELO argument of
'tribune.intranova.net'. Two, setup a filter to deny all mail going to a
user consisting of all digits (provided none of your users on the system
is using an alias or has a username of all digits).

On Wed, 8 Mar 2000, Joel Michael wrote:


hi all
(this is my first post, so please turn down the flame level a bit ;)
We had an attack on our mail server.  It seems as though someone sent
literally tens of thousands of emails at our server with random (as in,
random character generator) to: addresses.  This actually managed to
crash our server with the overhead of looking up all those thousands of
non-existant addresses.  Has anyone else seen something like this (maybe
with a little less disasterous side-affects)?  As a stop-gap measure, we
have blacklisted the IP address that the attack came from (a cable modem
user on the RoadRunner network in Houston, Texas, USA).  Anyone got any
ideas about how to permanently stop this kind of attack?  Any thoughts,
comments, etc appreciated :)
---
Joel Michael
System Administrator

Diggy Internet Services
90 Petrie Terrace
Brisbane Qld 4000
Australia

Ph: +61 7 3367 3555
Fax: +61 7 3367 3544
Mob: 0401 039 462



--
+-------------------------------------------------------------------------+
| Omachonu Ogali                                     oogali () intranova net |
| Intranova Networking Group                 http://tribune.intranova.net |
| PGP Key ID:                                                  0xBFE60839 |
| PGP Fingerprint:       C8 51 14 FD 2A 87 53 D1  E3 AA 12 12 01 93 BD 34 |
+-------------------------------------------------------------------------+

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]