[BlueOnyx:01710] Re: Subject: Re: Sendmail attack, again
Ralf Quint
Smoothwall at gmx.net
Wed Jul 15 15:16:57 -05 2009
At 01:07 PM 7/15/2009, Steve Davis wrote:
>Thanks for all the input.
>
>I have still not resolved this.?? 3.2 million in the mailq.
>
>It appears that this attack is intended on crashing the
>server/sendmail? VAR at 100% is generally not good.
>
>Almost no email is going out.?? And SMPT AUTH is not on. I had POP
>before SMTP, however I turned this off, and have instructed my users
>(on this box) not to send mail out from here but use their local
>ISP, which blocks most port 25's any way.
>
>Still the problem persists, and from so many IP's now.
>
>I have never been able to tell who's account is being used. Its like
>there is a back door, but, rkhunter says no.
>
>Trying to inplment a SMTP incoming from my Barracuda only, that
>should help, but the process is going slowly.
Have you tried to track down the source IP of those emails?
As I mentioned a couple of weeks ago, I have seen similar attacks at
some of our clients in the last few month and blocking certain IP
ranges from contacting the email server in the first place (using the
firewall in front of it) has eliminated the problem in very short
period of time...
Ralf
More information about the Blueonyx
mailing list