On Thu, 10 Jul 2003 00:17:18 +0900, alan premselaar wrote > Mike Vanecek, > > >I think I am under a DOS attack on port 25. I have received 2172 smtp packets > >from the same location yesterday. Due to this activity I have set my firewall > >to reject all incoming packets from Japan. I notified [EMAIL PROTECTED], > >[EMAIL PROTECTED], and [EMAIL PROTECTED] of the problem. > > Firstly, i'm going to say that you obviously did some lookup on the > IP address to determine it was in japan. it would have been > appropriate to do a reverse lookup of the IP address and a whois on > the domain to get contact information to inform me of the problem. > (certainly before informing nic.ad.jp)
Could not find any contact info on you. Here is a replication of where I looked: [EMAIL PROTECTED] admin]$ host 61.121.253.8 8.253.121.61.in-addr.arpa is an alias for 8.valueclick.253.121.61.in-addr.arpa. 8.valueclick.253.121.61.in-addr.arpa domain name pointer uchuu.12inch.com. [EMAIL PROTECTED] admin]$ host uchuu.12inch.com uchuu.12inch.com has address 61.121.253.8 [EMAIL PROTECTED] admin]$ whois uchuu.12inch.com BW whois 3.4 by Bill Weinman (http://whois.bw.org/) Copyright 1999-2003 William E. Weinman Request: uchuu.12inch.com whois server for *.com is whois.crsnic.net ... connected to whois.crsnic.net [198.41.3.54:43] ... No match for "UCHUU.12INCH.COM". [EMAIL PROTECTED] admin]$ whois 61.121.253.8 BW whois 3.4 by Bill Weinman (http://whois.bw.org/) Copyright 1999-2003 William E. Weinman Request: 61.121.253.8 connected to whois.arin.net [192.149.252.43:43] ... connected to WHOIS.APNIC.NET [202.12.29.13:43] ... % [whois.apnic.net node-2] % How to use this server http://www.apnic.net/db/ % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 61.112.0.0 - 61.127.255.255 netname: JPNIC-NET-JP descr: Japan Network Information Center country: JP admin-c: JNIC1-AP .... [EMAIL PROTECTED] admin]$ dig 61.121.253.8 ; <<>> DiG 9.2.1 <<>> 61.121.253.8 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34451 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;61.121.253.8. IN A ;; AUTHORITY SECTION: . 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2003070901 1800 900 604800 86400 ;; Query time: 333 msec ;; SERVER: 205.218.118.1#53(205.218.118.1) ;; WHEN: Wed Jul 9 21:14:44 2003 ;; MSG SIZE rcvd: 105 > Secondly, I'd like to appologize for the inconvenience. I'm not entirely > sure what was causing it, but it looks like it was caused by connection > timeouts to your system. I've never experienced these symptoms in > the past, and haven't made any changes to my sendmail configuration > in quite some time. I've included some output from misc. commands > to show you what I've found. I can assure you that this was NOT a > DOS attack, nor a malicious attack of any sort. It looks like your server started sending me hits starting on Jul 7 19:39:51. I am not sure why you would be sending me mail; however, one would think that if your server got a time out, it would not keep sending out packets every 3-5 seconds. The last packet was at Jul 9 10:04:01. > i've flushed the queue so the messages won't be retried any longer. > > I'd also like to appologize to everyone else on the list for having > to send this here in order to correspond with Mike, however, it's > quite obvious that I can't do it directly. The reason I posted it on this list was that I was wondering if it was some form of DOS spam attack and that the people on this list would be the most likely to have a heads up on such a situation. > should anyone have any suggestions as to why this might have > happened, i'd be very interested in making sure it doesn't happen again. I do not use sendmail, so I cannot help you there. > ---------------------------------------------------------------------------- > from ps -ef > > root 27878 27773 0 23:51 ? 00:00:00 sendmail: ./h680dbR5006146 > mail.mm-vanecek.cc.: user open > > root 27880 27773 0 23:52 ? 00:00:00 sendmail: ./h69EjOR5026661 > mail.mm-vanecek.cc.: user open > > from netstat -an > tcp 0 1 61.121.253.8:53442 66.76.121.5:25 SYN_SENT > tcp 0 1 61.121.253.8:53441 66.76.121.5:25 SYN_SENT Obviously, those ports are shut down. I would think the normal process would be to try once every 4 hours or so for a few days and report back that the message could not be sent. It certainly got my attention. You are not the only one from Japan sending me a ton of packets. This one started up today Jul 9 09:00:34 www kernel: Asia2 IN=eth0 OUT= MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=202.12.30.137 DST=192.168.1.95 LEN=60 TOS=0x00 PREC=0x00 TTL=238 ID=61693 DF PROTO=TCP SPT=25 DPT=57653 WINDOW=10136 RES=0x00 ACK SYN URGP=0 and finally got quiet Jul 9 20:23:54 www kernel: Asia2 IN=eth0 OUT= MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=202.12.30.137 DST=192.168.1.95 LEN=60 TOS=0x00 PREC=0x00 TTL=238 ID=25008 DF PROTO=TCP SPT=25 DPT=58085 WINDOW=10136 RES=0x00 ACK SYN URGP=0 Since this is OT -- I'll refrain from further posts on the topic. ------------------------------------------------------- This SF.Net email sponsored by: Parasoft Error proof Web apps, automate testing & more. Download & eval WebKing and get a free book. www.parasoft.com/bulletproofapps _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
