Mailing List SIMS@stalker.com Message #12777
From: Bill Cole <listbill@scconsult.com>
Subject: Re: 2 problems
Date: Sun, 13 Apr 2003 11:40:04 -0400
To: SIMS Discussions <SIMS@mail.stalker.com>
At 5:19 PM +0200 4/13/03, sascha  imposed structure on a stream of electrons, yielding:
hi there.

hope one of you can help

our mailserver recieves an immense amount of harvest attack spam mails
thats terrible but until i changed our server to another faster computer two
days ago that brave little SIMS was able to handle a couple of 100.000 of
these on a bad day. strangely though since then instead of running more
smoothly i am getting lines like these once a day and the server refuses
to handle any more mail regardless weather incoming or outgoing.


00:06:35 1 SMTP(tcp) Rejecting Connection from [80.6.165.162:4540], seq=8316. 12/13
00:06:35 1 SMTP too many (250) lines already opened
00:06:35 1 SMTP(tcp) Rejecting Connection from [80.6.165.162:4541], seq=8317. 13/14
00:06:35 1 SMTP too many (250) lines already opened
00:06:35 1 SMTP(tcp) Rejecting Connection from [80.6.165.162:4542], seq=8318. 14/15
00:06:36 1 SMTP too many (250) lines already opened
00:06:36 1 SMTP(tcp) Rejecting Connection from [80.6.165.162:4543], seq=8319. 15/0
00:06:36 1 SMTP too many (250) lines already opened
00:06:36 1 SMTP(tcp) Rejecting Connection from [218.2.140.236:2655], seq=8320. 0/1
00:06:36 1 SMTP too many (250) lines already opened
00:06:36 1 SMTP(tcp) Rejecting Connection from [218.2.140.236:2656], seq=8321. 1/2
00:06:36 1 SMTP too many (250) lines already opened
00:06:36 1 SMTP(tcp) Rejecting Connection from [80.6.165.162:4545], seq=8322. 2/3
00:06:36 1 SMTP too many (250) lines already opened
00:06:36 1 SMTP(tcp) Rejecting Connection from [80.6.165.162:4546], seq=8323. 3/4
00:06:36 1 SMTP too many (250) lines already opened
00:06:36 1 SMTP(tcp) Rejecting Connection from [80.6.165.162:4547], seq=8324. 4/5
00:06:36 1 SMTP too many (250) lines already opened
00:06:36 1 SMTP(tcp) Rejecting Connection from [80.6.165.162:4548], seq=8325. 5/6
00:06:37 1 SMTP too many (250) lines already opened
00:06:37 1 SMTP(tcp) Rejecting Connection from [80.6.165.162:4549], seq=8326. 6/7

i am pretty sure some of you have seen that before.
but what can i do against it?

Not much in SIMS, although if you have not already done so, upgrading to 1.8b9d14 may bring slight improvements, as it is smarter about how it handles TempBanning for dictionary attackers.

At some point you have to respond to these sorts of vandals at a deeper level. If you see a lot of connections from a particular address or cluster of addresses,  use your router (not the SIMS Router, but whatever IP router you use) and do whatever you must to filter those addresses out.


and on another note has anyone else experienced this strange kind of
attack concerto via multiple IPs all within the range of 65.54.198.* - 65.54.171.* (microsoft
hotmail i suppose) and does anyone know weather these are real mailservers/
open relays or how this is actually done (got the whole network on my blacklist
since yesterday), and weather there is a better way to block this then just putting
the complete ip ranges in the blacklist.


If it is a real problem, blocking at the IP level is your only other option.

I don't know how much of that range are real Hotmail servers, but I do know that they have a very large number of machines acting as outbound servers in that general area (actually much of the 64.54.128.0/17 network seems well-populated ...) and they
--
Bill Cole                                  bill@scconsult.com

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster