The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help prevent mailbomb DOS style attack

Discussion in 'E-mail Discussions' started by fishfreek, Dec 26, 2006.

  1. fishfreek

    fishfreek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    16
    I am having issues with what I call a mailbomb. My server will just suddently start getting hundreds of messages a minute to the point that all the system can do is try to process the mail influx. I have the domain set to fail messages bound for an address that does not exist. What I end up with is hundreds of processes running at once and the majority are exim processes and mailnull processes. Below are two examples in the mail que. I have not been able to establish how to stop this from happening. It will come in every few weeks for 15-20 min and then stop.

    It looks to me like these are messages that is being sent out with a fake address at one of the domains on my server as the from but the messages I do not belive are acutally origionating on my system. They seem to always have the same from address but I suspect if I put a rule in exim to do some kind of processing of that from address it will change. At the same time the influx is so fast and so much that the system cant process the messages quick enough with out causing the system to overload.


     
  2. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    What you are experiencing is a crafty way of knocking out any email server using a few carefully constructed emails. It is called Backscatter. Backscatter is a message you receive informing you that email you did not send was not delivered to someone you do not know. This type of of message is called a Delivery Status Notification or DSN. In most cases DSNs are welcome because the sender usually wants to know when a message can not be delivered to the recipient or that delivery of the message has been delayed for some reason. For more information about Backscatter, go to: http://spamlinks.net/prevent-secure-backscatter.htm
     
  3. fishfreek

    fishfreek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    16
    #3 fishfreek, Dec 26, 2006
    Last edited: Dec 26, 2006
Loading...

Share This Page