From owner-freebsd-questions  Fri Jun  7  7:27:29 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from sage-one.net (adsl-65-71-135-137.dsl.crchtx.swbell.net [65.71.135.137])
	by hub.freebsd.org (Postfix) with ESMTP id 0A04837B403
	for <freebsd-questions@freebsd.org>; Fri,  7 Jun 2002 07:27:25 -0700 (PDT)
Received: from sagea (sagea [192.168.0.3])
	by sage-one.net (8.11.6/8.11.6) with SMTP id g57ERO847426
	for <freebsd-questions@freebsd.org>; Fri, 7 Jun 2002 09:27:24 -0500 (CDT)
	(envelope-from jackstone@sage-one.net)
Message-Id: <3.0.5.32.20020607092722.00fc2288@mail.sage-one.net>
X-Sender: jackstone@mail.sage-one.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Fri, 07 Jun 2002 09:27:22 -0500
To: freebsd-questions@freebsd.org
From: "Jack L. Stone" <jackstone@sage-one.net>
Subject: List email bomb
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Yesterday morning, one of our lists were subjected to a sort of a "flood
attack" or mail bomb which was apparently using the majordomo "help"
command most likely run by a batch program by the attacker. The Log file
was filled with hundreds of the following "help" commands froma a single
source. The help command in turn was creating a flood of jobs in the
sendmail queue. I would kill the job and another would appear (before I
figured out what was happening).
<snip/>
Jun 06 12:31:31 ten-ten.org majordomo[34487] {"MUHARREM TOY"
<muharremt@anadolu.edu.tr>} help
Jun 06 12:31:39 ten-ten.org majordomo[34498] {"MUHARREM TOY"
<muharremt@anadolu.edu.tr>} help
Jun 06 12:31:47 ten-ten.org majordomo[34509] {"MUHARREM TOY"
<muharremt@anadolu.edu.tr>} help
Jun 06 12:31:55 ten-ten.org majordomo[34521] {"MUHARREM TOY"
<muharremt@anadolu.edu.tr>} help
Jun 06 12:32:05 ten-ten.org majordomo[34536] {"MUHARREM TOY"
<muharremt@anadolu.edu.tr>} help
</snip>

I was able to stop it be stopping the sandmail daemon, deleting the jobs
from the mqueue, placing a block of the bomber's IP (193.140.20.20) in the
firewall to break the loop. Then restarted the sendmail daemon. I waited
for a while and then opened up the FW again... it started the attack again.
I placed the FW block back and left it overnight. Today, so far no attacks
after removing the block.

Has anyone else experienced this...??? ...and, if so, what did you do...??

Best regards,
Jack L. Stone,
Administrator

SageOne Net
http://www.sage-one.net
jackstone@sage-one.net

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message