Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
01-18-2007, 03:01 AM
|
#1
|
LQ Guru
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678
Rep: 
|
Duration of backscatter
I'm currently the victim of a truckload of backscatter email bounces thanks to some $%%^ spammer(s) forging my domain and crappily configured mail servers around the planet.
Does anyone have any view on how long these tend to last for? I assume that the spammers move on to a new set of domain names pretty quickly and the crap will drop off. Does this sound correct?
|
|
|
01-18-2007, 06:46 AM
|
#2
|
LQ Veteran
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
|
I wouldn't bet on it. Once spammers got ahold of my company domain name, the crap was flowing for months until I set the server to drop everything that wasn't from a legitimate email account. As far as I know, they are still using our domain name, but at least I don't have to deal with their garbage.
|
|
|
01-18-2007, 01:24 PM
|
#3
|
LQ Guru
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678
Original Poster
Rep: 
|
I always drop mail to non-existent users. I'd just prefer to be able to see something useful in my logs and not chewe up bandwidth on crap connections.
Will revert as to timing
Nice looking site
Rgds
|
|
|
01-19-2007, 03:13 AM
|
#4
|
LQ Guru
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678
Original Poster
Rep: 
|
Volume seems to have dropped off significantly today.
I'll post daily volumes once things peter out
|
|
|
01-19-2007, 07:36 PM
|
#5
|
LQ Guru
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678
Original Poster
Rep: 
|
For information - progression of backscatter/Joe Job attack
Having posted this
http://www.linuxquestions.org/questi...d.php?t=520417
the other day, I thought it may be interesting for readers if I posted some data relating to the progression of the backscatter I received.
Taking "rejected as undeliverable" totals from my daily logwatch cron job, here is what I saw day by day.
15 Jan 308
16 Jan 1,695
17 Jan 3,056
18 Jan 5,846
19 Jan 4,408
20 Jan 596
I guess I just sit and wait for the next one now!
Last edited by billymayday; 01-19-2007 at 08:04 PM.
|
|
|
01-19-2007, 07:53 PM
|
#6
|
Senior Member
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
|
"Backscatter" is a term typically reserved for traffic that results from spoofed IPs in DDoS attacks. When e-mail domains are forged to send spam, it's known as a "Joe Job". I cover that (and other attacks) on my site. Check out e-mail threats and click on The "Joe Job" under Threats/Network.
|
|
|
01-19-2007, 07:56 PM
|
#7
|
LQ Guru
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678
Original Poster
Rep: 
|
Certainly Wietse Venema of postfix fame seems to refer to this as backscatter.
http://www.postfix.org/BACKSCATTER_README.html
Anyway, here's what I saw:
http://www.linuxquestions.org/questi...d.php?t=521020
and thanks for the link
|
|
|
01-19-2007, 08:01 PM
|
#8
|
LQ Guru
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678
Original Poster
Rep: 
|
Interesting chort, but it would seem to me that since most of the crap I get is from sites that bounce mail to unknown users, they are probably the least likely to implement spf or anything similar.
|
|
|
01-19-2007, 08:12 PM
|
#9
|
Senior Member
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
|
Yes, but you can only control your own site. There are two third parties involved: The spammer, and the recipient of the spam. You can't control what they do. The best you can do is publish an SPF/Sender-ID record (soon to be superceded by DKIM in all likelihood) and hope that ricipients of spam will check your records to avoid ever accepting the spam in the first place.
If you do get the bounces, you can filter them, but it's potentially tricky--especially if they used a valid e-mail address from your domain. Of course, they've already used your bandwidth at that point.
As for the term "Joe Job", I'm now working at my second e-mail security company and both have called it "Joe Job". That's the only term I see used to describe it in the e-mail security industry and in press about it.
Last edited by chort; 01-19-2007 at 08:14 PM.
|
|
|
01-20-2007, 05:47 AM
|
#10
|
Senior Member
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168
Rep:
|
Makes me glad I don't have to administer email servers. Sounds like a frickin' nightmare! 
|
|
|
All times are GMT -5. The time now is 02:22 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|