<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1141" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>We had a very interesting situation arise yesterday
that i have never seen before. Call it a spoof, a spam attack of somekind,
Mailscanner going out of control and looping. I dont know what it was exactly
but here is what happend.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>We are runing MailScanner 4.13+ Exim </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Around 1pm i noticed 100's of emails being pumped
out from our server. It was being delivered to a user named <A
href="mailto:pornomag6999@yaho.com"><FONT face="Times New Roman"
size=3>pornomag6999@yaho.com</FONT></A>. By this time over 600msgs have left my
server. I spent the next 5hrs trying to get this under control without too much
success. What i noticed was that if shutdown MailScanner and just let Exim do
the work the messages stopped sending. Anyhow i finally decided to just stop
MailScanner for the next 6hrs to see if this was happening by just letting Exim
do the work. No more messages were sent out to this user but by the time i got a
clue i over 1,300 msg had left my server.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>After doing some investigation i came to the
conclusion that one of our sites has a E-Greeting card site where a user can
send a greeting card to other users. Well this is what we found out after
working with the site owner. Whoever entered the address <A
href="mailto:pornomag6999@yaho.com"><FONT face="Times New Roman"
size=3>pornomag6999@yaho.com</FONT></A> also used <A
href="mailto:pornomag6999@yaho.com"><FONT face="Times New Roman"
size=3>pornomag6999@yaho.com</FONT></A> as the receipient. Call this a
malicous user if you want but it seems he knew exactly what to do to throw our
mailling system into a whirl. I left MailScanner offline till i re enabled it
this morning.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Any chance that MailScanner is the culprit here? I
mean by turning MailScanner off completely those messages stopped. I cleaned out
the retry db's this morning and restart MailScanner and its working just fine
right now. I also banned this userid in the Exim.conf but wasnt sure how to ban
the user in MailScanner.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Thanks</DIV>
<DIV><BR></DIV>
<DIV><BR></DIV></FONT></BODY></HTML>