DOS attacked :(

Wed Mar 3 23:39:21 GMT 2004

I'm top posting so this won't get lost. This was written by one of our
clients to handle a really severe Joe-job. His name shall be revealed if he
let's me, but I don't know if he wants the credit for breaking RFC 1123
(this certainly does). This deletes any incoming email that has a return
address of "<>".

BE CAREFUL WITH THE TABS. Don't cut 'n paste this tabs must separate the
Left hand side from the right hand side rules and comments. The have been
lost in the email transmission. You' know if you've missed a tab because
sendmail will croak when you try and start it.

I can't verify that this works but he insisted it saved his axx. He was so
upset by the attack he stayed up for 30 hours straight and learned to write
sendmail.cf files from scratch. No Small feat.

Possible some sendmail guru whose not battling the bagel will be kind enough
to put the hack into a sendmail.mc format.

------------------ snip -----------------------------
######################################################################
######################################################################
#####
#####   REWRITING RULES
#####
######################################################################
######################################################################
#Added by XXX to handle joe job on 020404

HSubject: $>Check_Subject1
D{MPat}Returned
SCheck_Subject1
R${MPat} $* $#discard

######################################################################
###  check_mail -- check SMTP `MAIL FROM:' command argument
######################################################################

SLocal_check_mail
Scheck_mail
R$*   $: $1 $| $>"Local_check_mail" $1
R$* $| $#$*  $#$2
R$* $| $*  $@ $>"Basic_check_mail" $1

SBasic_check_mail
# check for deferred delivery mode
R$*   $: < $&{deliveryMode} > $1
R< d > $*  $@ deferred
R< $* > $*  $: $2

# authenticated?
R$*   $: $1 $| $>"tls_client" $&{verify} $| MAIL
R$* $| $#$+  $#$2
R$* $| $*  $: $1

#modified by XXX to handle joe job on 020404 Note: org line above
#R<>   $@ <OK>   we MUST accept <> (RFC 1123)
R<>   $@ $#discard   we MUST accept <> (RFC 1123)
R$+   $: <?> $1
R<?><$+>  $: <@> <$1>
R<?>$+   $: <@> <$1>
R$*   $: $&{daemon_flags} $| $1
R$* f $* $| <@> < $* @ $- > $: < ? $&{client_name} > < $3 @ $4 >
R$* u $* $| <@> < $* > $: <?> < $3 >
R$* $| $*  $: $2
# handle case of @localhost on address
------------------ snip -----------------------------

Steve

Stephen Swaney
President
Fortress Systems Ltd.
Steve.Swaney at FSL.com

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf Of Pete
> Sent: Wednesday, March 03, 2004 6:08 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: DOS attacked :(
>
> What should i do to rectify or prevent this? Nothing leave it to MS?
>
> Load avergae is stuck on 7 and almost nothing is wworking on this
> machine, even ssh commands have a 10sec delay.
>
> Will deleting the offending email be the entire solution?
>
>
> Mar  4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27: from=<>,
> size=3477, nrcpt=1 (queue active)
> Mar  4 10:09:56 mail01 postfix/smtpd[15859]: disconnect from
> adl0133.systems.sa.gov.au[143.216.236.20]
> Mar  4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27:
> to=<lwelch at mteliza.com.au>, relay=none, delay=0, status=deferred
> (deferred transport)
> Mar  4 10:10:20 mail01 update.virus.scanners: Found clamav installed
> Mar  4 10:10:20 mail01 update.virus.scanners: Running autoupdate for
> clamav
> Mar  4 10:10:27 mail01 MailScanner[14186]: SpamAssassin timed out and
> was killed, consecutive failure 12 of 20
> Mar  4 10:10:50 mail01 MailScanner[14171]: Commercial scanner
> clamavmodule timed out!
> Mar  4 10:10:50 mail01 MailScanner[14182]: Commercial scanner
> clamavmodule timed out!
> Mar  4 10:10:52 mail01 MailScanner[14171]: Virus Scanning: Denial Of
> Service attack is in message A086133CDD
> Mar  4 10:10:52 mail01 ClamAV-autoupdate[16032]: ClamAV did not need
> updating
> Mar  4 10:10:53 mail01 MailScanner[14182]: Virus Scanning: Denial Of
> Service attack detected!
> Mar  4 10:11:12 mail01 MailScanner[14186]: SpamAssassin timed out and
> was killed, consecutive failure 13 of 20
> Mar  4 10:11:35 mail01 postfix/smtpd[15859]: warning: 144.134.105.149:
> hostname glpp-p-144-134-105-149.prem.tmns.net.au verification failed:
> Host not found
> Mar  4 10:11:46 mail01 postfix/qmgr[14167]: 802E233CF1: skipped, still
> being delivered
> Mar  4 10:11:46 mail01 postfix/qmgr[14167]: 81A6B33CF8: skipped, still
> being delivered
> Mar  4 10:11:46 mail01 postfix/qmgr[14167]: 319FC33CF6: skipped, still
> being delivered
> Mar  4 10:11:46 mail01 postfix/qmgr[14167]: 7AB0F33CE7: skipped, still
> being delivered
> Mar  4 10:11:46 mail01 postfix/qmgr[14167]: 7144633CEF: skipped, still
> being delivered
> Mar  4 10:11:46 mail01 postfix/qmgr[14167]: 7BB5933CF5: skipped, still
> being delivered
> Mar  4 10:11:46 mail01 postfix/qmgr[14167]: B023533CFB: skipped, still
> being delivered
> Mar  4 10:11:46 mail01 postfix/qmgr[14167]: A086133CDD: skipped, still
> being delivered
> Mar  4 10:11:46 mail01 postfix/qmgr[14167]: A101F33CF9: skipped, still
> being delivered
> Mar  4 10:11:46 mail01 postfix/qmgr[14167]: 632A833CE0: skipped, still
> being delivered
> Mar  4 10:11:46 mail01 postfix/qmgr[14167]: 67E9533CE2: skipped, still
> being delivered
> Mar  4 10:11:46 mail01 postfix/qmgr[14167]: 593BD33984: skipped, still
> being delivered
> Mar  4 10:11:53 mail01 MailScanner[14186]: SpamAssassin timed out and
> was killed, consecutive failure 14 of 20
> Mar  4 10:12:37 mail01 MailScanner[14186]: SpamAssassin timed out and
> was killed, consecutive failure 15 of 20
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> Fortress Systems Ltd.
> www.fsl.com
>

--
This message has been scanned for viruses and
dangerous content by Fortress Secure Mail Gateway
and was found to be clean.

Fortress Systems Ltd. - http://www.fsl.com