LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-18-2007, 04:01 AM   #1
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Duration of backscatter


I'm currently the victim of a truckload of backscatter email bounces thanks to some $%%^ spammer(s) forging my domain and crappily configured mail servers around the planet.

Does anyone have any view on how long these tend to last for? I assume that the spammers move on to a new set of domain names pretty quickly and the crap will drop off. Does this sound correct?
 
Old 01-18-2007, 07:46 AM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
I wouldn't bet on it. Once spammers got ahold of my company domain name, the crap was flowing for months until I set the server to drop everything that wasn't from a legitimate email account. As far as I know, they are still using our domain name, but at least I don't have to deal with their garbage.
 
Old 01-18-2007, 02:24 PM   #3
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Original Poster
Rep: Reputation: 122Reputation: 122
I always drop mail to non-existent users. I'd just prefer to be able to see something useful in my logs and not chewe up bandwidth on crap connections.

Will revert as to timing

Nice looking site

Rgds
 
Old 01-19-2007, 04:13 AM   #4
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Original Poster
Rep: Reputation: 122Reputation: 122
Volume seems to have dropped off significantly today.

I'll post daily volumes once things peter out
 
Old 01-19-2007, 08:36 PM   #5
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Original Poster
Rep: Reputation: 122Reputation: 122
For information - progression of backscatter/Joe Job attack

Having posted this

http://www.linuxquestions.org/questi...d.php?t=520417

the other day, I thought it may be interesting for readers if I posted some data relating to the progression of the backscatter I received.

Taking "rejected as undeliverable" totals from my daily logwatch cron job, here is what I saw day by day.

15 Jan 308
16 Jan 1,695
17 Jan 3,056
18 Jan 5,846
19 Jan 4,408
20 Jan 596

I guess I just sit and wait for the next one now!

Last edited by billymayday; 01-19-2007 at 09:04 PM.
 
Old 01-19-2007, 08:53 PM   #6
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
"Backscatter" is a term typically reserved for traffic that results from spoofed IPs in DDoS attacks. When e-mail domains are forged to send spam, it's known as a "Joe Job". I cover that (and other attacks) on my site. Check out e-mail threats and click on The "Joe Job" under Threats/Network.
 
Old 01-19-2007, 08:56 PM   #7
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Original Poster
Rep: Reputation: 122Reputation: 122
Certainly Wietse Venema of postfix fame seems to refer to this as backscatter.

http://www.postfix.org/BACKSCATTER_README.html

Anyway, here's what I saw:

http://www.linuxquestions.org/questi...d.php?t=521020

and thanks for the link
 
Old 01-19-2007, 09:01 PM   #8
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Original Poster
Rep: Reputation: 122Reputation: 122
Interesting chort, but it would seem to me that since most of the crap I get is from sites that bounce mail to unknown users, they are probably the least likely to implement spf or anything similar.
 
Old 01-19-2007, 09:12 PM   #9
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Yes, but you can only control your own site. There are two third parties involved: The spammer, and the recipient of the spam. You can't control what they do. The best you can do is publish an SPF/Sender-ID record (soon to be superceded by DKIM in all likelihood) and hope that ricipients of spam will check your records to avoid ever accepting the spam in the first place.

If you do get the bounces, you can filter them, but it's potentially tricky--especially if they used a valid e-mail address from your domain. Of course, they've already used your bandwidth at that point.

As for the term "Joe Job", I'm now working at my second e-mail security company and both have called it "Joe Job". That's the only term I see used to describe it in the e-mail security industry and in press about it.

Last edited by chort; 01-19-2007 at 09:14 PM.
 
Old 01-20-2007, 06:47 AM   #10
Crito
Senior Member
 
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168

Rep: Reputation: 53
Makes me glad I don't have to administer email servers. Sounds like a frickin' nightmare!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Setting the Default Duration in KOrganiser, KOrganizer Riddick Linux - Software 0 10-08-2005 06:14 PM
KInternet - Connection duration RogerW Linux - Newbie 0 04-16-2005 03:20 AM
How to limit muliple dial-up connection duration morosband Linux - Software 1 02-28-2005 09:46 AM
How to limit muliple dial-up connection duration morosband Linux - Software 3 02-26-2005 07:29 PM
mplex an m2v with a blank mp3 (of the same duration) duch Linux - Software 0 05-27-2004 09:02 AM


All times are GMT -5. The time now is 01:01 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration