[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] joe job mitigation

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] joe job mitigation
From: "lsi" <stuart@xxxxxxxxxxxxxx>
Date: Tue, 29 Aug 2006 13:36:08 +0100

the surface: a POP3 "catch-all" mailbox

the problem: fallout from a (small) joe job attack - 6000 bounces in 
the mail queue, mixed with normal mail, from all over the internet

aggrevating circumstances: a spam filter which takes 5-10 seconds to 
process each bounce

potential consequences: day-long denial of email service on all mail 
accounts due to POP3 client waiting on the spam filter on this one 
mailbox

the solution: 

1. in my spam filter, whitelisted postmaster@ and mailer-daemon@ - 
this caused all the bounces to be processed immediately instead of 
being checked for spam - the spam filter was catching some bounces 
for me which was nice, but it was too slow.  So I let them all 
through.

2. ran my inbox cleaner, it's already programmed to delete bounces:

- mailx 0.07 Aug 29, 2006 00:25:26 [kill_bounces]: 5312 messages 
killed (5994 messages total) [hitrate: 88.62196%]

3. (optional - I tried it, can be fun) go drink beer with mates.

notes:

- while Non-Delivery Receipts (NDRs) pose a threat, in terms of 
denial of service after a joe job, their predictability makes them 
easy to filter.  This substantially reduces the potential for a joe 
job to cause sustained damage.

- Challenge/Response systems are more problematic than NDRs.  These 
systems have no standard format and thus are more difficult to 
filter.  In particular, CR makers could mitigate the risk of their 
systems being used as a weapon by utilising the standard "mailer-
daemon" string in their From: fields.

- most of the remaining 12% of mail seems to have vanished in the 
nightly cleanup event, presumably due to matches with other rules.  
Ah well.  Will have to wait for the next one to collect some more NDR 
strings.

- I wonder if I can analyse the bounces, extract IPs and map the 
botnet?  That might be fun too.

---
Stuart Udall
stuart at@xxxxxxxxxxxxxx net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [ISR] - IBM eGatherer ActiveX Code Execution PoC
Next by Date: [Full-disclosure] [ GLSA 200608-27 ] Motor: Execution of arbitrary code
Previous by thread: [Full-disclosure] [ISR] - IBM eGatherer ActiveX Code Execution PoC
Next by thread: [Full-disclosure] [ GLSA 200608-27 ] Motor: Execution of arbitrary code
Index(es):
- Date
- Thread