[<prev] [next>] [day] [month] [year] [list]
Message-ID: <44F442C8.9206.17551389@stuart.cyberdelix.net>
Date: Tue, 29 Aug 2006 13:36:08 +0100
From: "lsi" <stuart@...erdelix.net>
To: full-disclosure@...ts.grok.org.uk
Subject: joe job mitigation
the surface: a POP3 "catch-all" mailbox
the problem: fallout from a (small) joe job attack - 6000 bounces in
the mail queue, mixed with normal mail, from all over the internet
aggrevating circumstances: a spam filter which takes 5-10 seconds to
process each bounce
potential consequences: day-long denial of email service on all mail
accounts due to POP3 client waiting on the spam filter on this one
mailbox
the solution:
1. in my spam filter, whitelisted postmaster@ and mailer-daemon@ -
this caused all the bounces to be processed immediately instead of
being checked for spam - the spam filter was catching some bounces
for me which was nice, but it was too slow. So I let them all
through.
2. ran my inbox cleaner, it's already programmed to delete bounces:
- mailx 0.07 Aug 29, 2006 00:25:26 [kill_bounces]: 5312 messages
killed (5994 messages total) [hitrate: 88.62196%]
3. (optional - I tried it, can be fun) go drink beer with mates.
notes:
- while Non-Delivery Receipts (NDRs) pose a threat, in terms of
denial of service after a joe job, their predictability makes them
easy to filter. This substantially reduces the potential for a joe
job to cause sustained damage.
- Challenge/Response systems are more problematic than NDRs. These
systems have no standard format and thus are more difficult to
filter. In particular, CR makers could mitigate the risk of their
systems being used as a weapon by utilising the standard "mailer-
daemon" string in their From: fields.
- most of the remaining 12% of mail seems to have vanished in the
nightly cleanup event, presumably due to matches with other rules.
Ah well. Will have to wait for the next one to collect some more NDR
strings.
- I wonder if I can analyse the bounces, extract IPs and map the
botnet? That might be fun too.
---
Stuart Udall
stuart at@...erdelix.dot net - http://www.cyberdelix.net/
---
* Origin: lsi: revolution through evolution (192:168/0.2)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists