[wplug-plan] Followup on email outage yesterday (Feb 01, 2005)

Jonathan S Billings billings at negate.org
Wed Feb 2 13:01:21 EST 2005 

Yesterday, around 9:30PM, Bethlynn mentioned to me on IRC that she was 
getting a lot of bounce notifications from our mail server for WPLUG, 
penguin.wplug.org.  I saw that I was receiving them as well, since 
bethlynn and I are the recipients of root at wplug.org and 
postmaster at wplug.org.

It looks like someone was doing an alphabetic address spamming attempt 
against the backup MX for gunix.net.  penguin.wplug.org provides the 
backup store-and-forward MX capability for gunix.net, a domain owned by 
one of the founders of WPLUG, Jeremy.  There were hundreds of emails 
arriving per minute, all destined to be relayed to his email server in 
Seattle.

I found that all the incoming connections for this spam was coming from 
a single IP, so I set iptables to just drop all packets from that host. 
  That stopped the spam, but there was still a lot of email queued up. 
I went through and manually deleted all the mail that was to be relayed 
to falken.gunix.net, as well as deleting as much of the queued mail that 
were bounce notifications.  I still received about 150 bounce 
notifications, in my inbox.

I've since removed the line in our sendmail configuration that relays 
mail destined for gunix.net.  This problem impacted the group's server 
and potentially could have caused mail to have been dropped.  We've been 
providing a backup MX service for gunix.net for quite a while, and I 
appreciate all the efforts that Jeremy has provided in the past, but I 
would prefer we not have penguin provide this service in the future.  I 
don't think that the store-and-forward mechanism of a backup MX is a 
good idea, and the aforementioned problem is a direct result of this 
configuration.  I believe that Bill Moran had a couple slides about this 
in his Spam talk.  :)

Jeremy has asked that I restore the configuration to penguin.wplug.org. 
  I'll leave it up to the leadership of WPLUG to decide as to what 
should be done.
-- 
Jonathan S. Billings <billings at negate.org>

More information about the wplug-plan mailing list