lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <44F442C8.9206.17551389@stuart.cyberdelix.net>
Date: Tue, 29 Aug 2006 13:36:08 +0100
From: "lsi" <stuart@...erdelix.net>
To: full-disclosure@...ts.grok.org.uk
Subject: joe job mitigation

the surface: a POP3 "catch-all" mailbox

the problem: fallout from a (small) joe job attack - 6000 bounces in 
the mail queue, mixed with normal mail, from all over the internet

aggrevating circumstances: a spam filter which takes 5-10 seconds to 
process each bounce

potential consequences: day-long denial of email service on all mail 
accounts due to POP3 client waiting on the spam filter on this one 
mailbox

the solution: 

1. in my spam filter, whitelisted postmaster@ and mailer-daemon@ - 
this caused all the bounces to be processed immediately instead of 
being checked for spam - the spam filter was catching some bounces 
for me which was nice, but it was too slow.  So I let them all 
through.

2. ran my inbox cleaner, it's already programmed to delete bounces:

- mailx 0.07 Aug 29, 2006 00:25:26 [kill_bounces]: 5312 messages 
killed (5994 messages total) [hitrate: 88.62196%]

3. (optional - I tried it, can be fun) go drink beer with mates.

notes:

- while Non-Delivery Receipts (NDRs) pose a threat, in terms of 
denial of service after a joe job, their predictability makes them 
easy to filter.  This substantially reduces the potential for a joe 
job to cause sustained damage.

- Challenge/Response systems are more problematic than NDRs.  These 
systems have no standard format and thus are more difficult to 
filter.  In particular, CR makers could mitigate the risk of their 
systems being used as a weapon by utilising the standard "mailer-
daemon" string in their From: fields.

- most of the remaining 12% of mail seems to have vanished in the 
nightly cleanup event, presumably due to matches with other rules.  
Ah well.  Will have to wait for the next one to collect some more NDR 
strings.

- I wonder if I can analyse the bounces, extract IPs and map the 
botnet?  That might be fun too.

---
Stuart Udall
stuart at@...erdelix.dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ