Exim, 1,300 message loop out of control.

[Michael Szabados]

We had a very interesting situation arise yesterday that i have never seen before. Call it a spoof, a spam attack of somekind, Mailscanner going out of control and looping. I dont know what it was exactly but here is what happend.

We are runing MailScanner 4.13+ Exim 

Around 1pm i noticed 100's of emails being pumped out from our server. It was being delivered to a user named pornomag6999 at yaho.com. By this time over 600msgs have left my server. I spent the next 5hrs trying to get this under control without too much success. What i noticed was that if shutdown MailScanner and just let Exim do the work the messages stopped sending. Anyhow i finally decided to just stop MailScanner for the next 6hrs to see if this was happening by just letting Exim do the work. No more messages were sent out to this user but by the time i got a clue i over 1,300 msg had left my server.

After doing some investigation i came to the conclusion that one of our sites has a E-Greeting card site where a user can send a greeting card to other users. Well this is what we found out after working with the site owner. Whoever entered the address pornomag6999 at yaho.com also used pornomag6999 at yaho.com as the receipient. Call this a malicous user if you want but it seems he knew exactly what to do to throw our mailling system into a whirl. I left MailScanner offline till i re enabled it this morning.

Any chance that MailScanner is the culprit here? I mean by turning MailScanner off completely those messages stopped. I cleaned out the retry db's this morning and restart MailScanner and its working just fine right now. I also banned this userid in the Exim.conf but wasnt sure how to ban the user in MailScanner.

Thanks



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030415/05823613/attachment.html