DOS Attack on Mail Server

Steve Evans sevans at FOUNDATION.SDSU.EDU
Fri Sep 20 05:30:55 IST 2002


We received about 15,000 messages in about 30 minutes today from a
single source.  It turned out to a bug in a website that sent us message
after message after message.  I was able to quickly find the source IP
and block it at the firewall but this could have been very bad.  It took
me about 20 minutes to realize mail wasn't flowing, and by the time I
logged into the Sendmail gateway, and checked the number of files in
mqueue.in it was somewhere in the 25,000 range.  If my cell phone
service was off (I got a page on my cell phone because of the large
queue) it wouldn't have stopped until the users mailbox was full and
started bouncing message.  (she was at about 10 mb's of 250.  They were
5kb messages I believe so (check my math) it would have taken, 50,000
messages to fill her up.

Anyways, my point.  Could mailscanner somehow detect this and stop
sendmail from accepting the messages.  I'm not sure if it's practical.
Maybe if it breaks a certain number of messages in 10 minutes overall,
by from or to address, from IP, or similar messages.  Any thoughts?

Steve Evans
(619) 594-0653 




More information about the MailScanner mailing list