Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] joe job mitigation

from [lsi] Network Security [Permanent Link]
Subject: [Full-disclosure] joe job mitigation
Date: Tue, 29 Aug 2006 13:36:08 +0100 
the surface: a POP3 "catch-all" mailbox

the problem: fallout from a (small) joe job attack - 6000 bounces in 
the mail queue, mixed with normal mail, from all over the internet

aggrevating circumstances: a spam filter which takes 5-10 seconds to 
process each bounce

potential consequences: day-long denial of email service on all mail 
accounts due to POP3 client waiting on the spam filter on this one 
mailbox

the solution: 

1. in my spam filter, whitelisted postmaster@ and mailer-daemon@ - 
this caused all the bounces to be processed immediately instead of 
being checked for spam - the spam filter was catching some bounces 
for me which was nice, but it was too slow.  So I let them all 
through.

2. ran my inbox cleaner, it's already programmed to delete bounces:

- mailx 0.07 Aug 29, 2006 00:25:26 [kill_bounces]: 5312 messages 
killed (5994 messages total) [hitrate: 88.62196%]

3. (optional - I tried it, can be fun) go drink beer with mates.

notes:

- while Non-Delivery Receipts (NDRs) pose a threat, in terms of 
denial of service after a joe job, their predictability makes them 
easy to filter.  This substantially reduces the potential for a joe 
job to cause sustained damage.

- Challenge/Response systems are more problematic than NDRs.  These 
systems have no standard format and thus are more difficult to 
filter.  In particular, CR makers could mitigate the risk of their 
systems being used as a weapon by utilising the standard "mailer-
daemon" string in their From: fields.

- most of the remaining 12% of mail seems to have vanished in the 
nightly cleanup event, presumably due to matches with other rules.  
Ah well.  Will have to wait for the next one to collect some more NDR 
strings.

- I wonder if I can analyse the bounces, extract IPs and map the 
botnet?  That might be fun too.

---
Stuart Udall
stuart at@cyberdelix.dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] joe job mitigation, lsi <=
Previous by Date:  [Full-disclosure] [ISR] - IBM eGatherer ActiveX Code Execution PoC, Francisco Amato
Next by Date:  [Full-disclosure] [ GLSA 200608-27 ] Motor: Execution of arbitrary code, Raphael Marichez
Previous by Thread:  [Full-disclosure] [ISR] - IBM eGatherer ActiveX Code Execution PoC, Francisco Amato
Next by Thread:  [Full-disclosure] [ GLSA 200608-27 ] Motor: Execution of arbitrary code, Raphael Marichez
Indexes:  [Date] [Thread] [Top] [All Lists]