Powered by Caffeine

.:. fuck decaf .:.

caffinated meanderings of friends of passion
contributors
clb, tdm, rj, pf, lp, rc, jw, bm, sr, jv, aw, pw, se, fy, .:.
contributor help
contributor login
.:.

10.7.06

denial of service

Today, one of my domains and the ISP hosting its mail server were under attack. The server ground almost to a halt at thousands of bounced emails arrived at the reply-to addresses used by a spammer. These addresses used my domain. They weren't sent from there, and the apparent From and Reply-To addresses are not real ones for that domain. The Froms were spoofed. And the Reply-To field is easy to configure on most email clients.

I only saw the bounces, and they arrived at approx. 100 per 5 minutes, or about 1200 per hour. They swamped all legit email I would have received until my ISP turned off the catch-all forwarding I had requested.

Most bounces had attachments from the recipient servers - the original email, which seemed to have contained graphics too. Lots of bits and bytes to overwhelm a server. The source appears to be untraceable. I can follow back to a friendly ISP in the UK, and not further, but only for some of the bounces. The from addresses, subject lines, and part of the content was variable, so keyword filters weren't fast at recognizing the problem.

Back to numbers. If my domain received about 1200 bounces / hour, from servers which no longer hosted the target address, then how many messages were sent? What was the quality of the target list? As is common online, about 20of the addresses on it are stale. So the bounces I received only reflect that the server still exists but the address no longer does. The number of spams sent out could have been as high as 1200 x 5, or 6000 / hour. Which isn't incredibly high. For one hour. How about ten hours for a nice round 60,000 spams?

This is probably sufficient for my domain to become blacklisted. In other words, I may not be able to send email from that domain legitimately to many places. Fun in the digital city.

Here's a sanitized copy of a bounce:

Return-Path: 
Received: (qmail 18353 invoked from network); 
  10 Jul 2006 14:36:11 -0000
Received: from 
  82-45-174-247.cable.ubr01.donc.blueyonder.co.uk 
  (HELO 251C358) (82.45.174.247)
  by servidor2.suempresa.com with SMTP; 
  10 Jul 2006 14:36:11 -0000
FCC: mailbox://KristinafsmBradford@ME.com/Sent
X-Identity-Key: iD7
Date: Tue, 11 Jul 2006 08:41:17 +0200
From: Abel Lewis 
X-Accept-Language: en-us, en
To: loresenrique.lores@INNOCENTVICTIM.com
Subject: Re: Hello

CLB: COLOR CHANGED FROM WHITE

CLB: GRAPHIC REMOVED, BUT THE EVIL LINK HERE IS REAL


"Annie, Ill stay right here! The best of the Misery books, and maybe the best thing I ever wrote, mongrel dog or not.

"We have to talk,she said."

"But she wouldnt want that, would she? "At the corners of her mouth dimples appeared briefly in the solidity of flesh and then disappeared. And aint half the bleedintown seen that old Papist monk that walks the battlements of Ridgeheath Manor? Paul made a mental bet with himself that Bossie would tear in half before Annie got her to the grave, but that one he lost.


"How many times did you go out?


Its the one that always tastes the best, believe me — even better than the one you have after a really fine meal. I think the chances are very good that somewhere up ahead in these untumed pages I am going to find a brief article about you.


End spam now.

posted by Carolyn L Burke | 5:28:00 PM  

3 Comments on "denial of service":

# On 12:14 PM, Stephen van Egmond wrote...

I've been the recipient of this sort of mailbombing on a weekly basis. It would seem that I used to host a large number of pages, which made me a juicy target for the random-email-address-pickers out there.

My latest fun usually comes in the form of a mail loop: someone forges a mail with my listserver address as the From: . 1200 bounces an hour come flying at the listserver which replies with "huh? what? I don't understand what you're asking for? don't you want to subscribe to torfun?" type replies, and it just keeps going until I blacklist the domains. So far, 12 have been hit in this way.

The long-term answer appears to be email signing, but not what you think: when you send out a legitimate email from whatever.com, its mail server adds a little signature header to the message. The DNS entry for whatever.com contains information that can be used to verify the mail is authentically from that domain.

It's SO SIMPLE. The idea is FIVE YEARS OLD. And it's still not implemented because bozos like Yahoo and Microsoft can't agree on it. It looks like Yahoo is going ahead with it anyway, though. Everyone I know who uses Yahoo mail gets a DomainKey-signature: header on their messages.

12:14 PM  
# On 12:15 PM, Stephen van Egmond wrote...

I've been the recipient of this sort of mailbombing on a weekly basis. It would seem that I used to host a large number of pages, which made me a juicy target for the random-email-address-pickers out there.

My latest fun usually comes in the form of a mail loop: someone forges a mail with my listserver address as the From: . 1200 bounces an hour come flying at the listserver which replies with "huh? what? I don't understand what you're asking for? don't you want to subscribe to torfun?" type replies, and it just keeps going until I blacklist the domains. So far, 12 have been hit in this way.

The long-term answer appears to be email signing, but not what you think: when you send out a legitimate email from whatever.com, its mail server adds a little signature header to the message. The DNS entry for whatever.com contains information that can be used to verify the mail is authentically from that domain.

It's SO SIMPLE. The idea is FIVE YEARS OLD. And it's still not implemented because bozos like Yahoo and Microsoft can't agree on it. It looks like Yahoo is going ahead with it anyway, though. Everyone I know who uses Yahoo mail gets a DomainKey-signature: header on their messages.

12:15 PM  
# On 5:46 PM, Anonymous wrote...

The problem was that people started to patent many approached, and the IETF only endorses at most royaltee-free patents in any RFC.
SPF is pretty much dead, there is even a theoretical 100+ amplifier attack warning in draft.
Domain Keys I believe is in Last Call on two issues before becoming RFC. I am not sure if I am a big fan of it though.

1200 bounces/hour is not the worst I've seen, but it still renders your email unusable for days, which is quite annoying. When xtdnet was being massively attacked (see http://www.xtdnet.nl/paul/spam/ueff/) I changed some email addresses to return the error "550 mail paul2@xtdnet.nl instead" to try and limit the bounces for a few days. Then at least you don't receive and process the bounced emails.
Paul

5:46 PM  

Post a Comment

<< back to .:. fuck decaf .:.