We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Possible DoS attack - suggestions please
soappie
Posts: 6,794 Forumite
in Techie Stuff
My company has a website address that is very similar to a v. large organisation. We both know this and we both accept it. And we have taken measures to ensure we don't cross each other's internet paths as much as is humanly possible.
Around about noon today I received some 3000 'mail handler error' emails that purported to be bounced back because they couldn't be delivered to a standard generic email address which both my (v.v.v. small!) and the v.v.v. large organisation have in common but with slightly different end extensions (e.g. webmaster@somewhere - but it 's not that!). But, that email address is one I have never sent anything to with and which cannot have been harvested from my company website because it doesn't appear there!
They are not normal phishing or virus related or spamming emails - the text of the email relates to the business activities of the v. large organisation and says it comes from the secretary to the chairman of that v. large organisation.
Just after 8pm this evening I received another flurry of these - some 12,000 in all (I spent a frantic hour deleting them as soon as they came in!) - fortunately I have unlimited downloads! I use a small, local ISP who doesn't work weekends and whose email server is in danger of collapsing under the weight of these emails if they continue at such a fast (and exponentially increasing numbers) rate - thereby denying other users of the ISP access to their emails let alone me!
I am becoming more and more convinced that this volume of emails is meant for the v. bit organisation and is basically a DoS attack.
Does anyone have any suggestions as to what I can do until Monday to ensure I can continue to receive my legitimate emails, my ISP's email server doesn't buckle under the strain and that the damned v. large organisation is made aware of this!
Around about noon today I received some 3000 'mail handler error' emails that purported to be bounced back because they couldn't be delivered to a standard generic email address which both my (v.v.v. small!) and the v.v.v. large organisation have in common but with slightly different end extensions (e.g. webmaster@somewhere - but it 's not that!). But, that email address is one I have never sent anything to with and which cannot have been harvested from my company website because it doesn't appear there!
They are not normal phishing or virus related or spamming emails - the text of the email relates to the business activities of the v. large organisation and says it comes from the secretary to the chairman of that v. large organisation.
Just after 8pm this evening I received another flurry of these - some 12,000 in all (I spent a frantic hour deleting them as soon as they came in!) - fortunately I have unlimited downloads! I use a small, local ISP who doesn't work weekends and whose email server is in danger of collapsing under the weight of these emails if they continue at such a fast (and exponentially increasing numbers) rate - thereby denying other users of the ISP access to their emails let alone me!
I am becoming more and more convinced that this volume of emails is meant for the v. bit organisation and is basically a DoS attack.
Does anyone have any suggestions as to what I can do until Monday to ensure I can continue to receive my legitimate emails, my ISP's email server doesn't buckle under the strain and that the damned v. large organisation is made aware of this!
I am the leading lady in the movie of my life
0
Comments
-
Have you checked the originating IP address for the emails as recorded in the message header?
If they are all coming from the same IP address, it's probably not a DoS attack, as these are usually launched from many different IP addresses (usually from a botnet of lots of hacked PCs) to make them difficult to block. If they are all from the same IP address, there's a good chance that your big neighbour has configured one of their web or mail servers wrongly.
You can look up that IP address at one of many sites such as:
http://www.viewwhois.com/
...and if it belongs to your big neighbour then it's probably their fault. Prepare to give them a hard time on Monday, and calmly ask how they intend to compensate you for your wasted time.
If the emails are coming from lots of different IP addresses, it might be a DoS attack or it might be a different type of server misconfig. But much harder to pin the blame on anyone.
Whatever the cause, if your ISP has no staff on board at the weekend, what you are doing (i.e. removing the emails from their mail server as quickly as they arrive) is probably all you ~can~ do - though it may be worth calling their Head Office tomorrow, as their IT dept probably has someone on callout if they are that big.0 -
Thanks Fwor. I dreaded logging on this morning but there were only 39 emails overnight (which is average) and the ISP's server is still standing.
I've checked what I can from the link you so kindly provided. I didn't save any from the original smaller batch so can't check those (and I emptied my deleted items bin) but from what I can remember, they've all come from the same mailer daemon.
Sorry your message from <always the same address which is one of mine> to <random yahoo address> could not be delivered
Then the == original message ==== bit goes
received: from <ip address resolving to Lagos, Nigeria> by <swedish company>
The swedish company appears to be some kind of domain design/host company.
So, all I can do today is keep a close eye out in case another flood of them come in.I am the leading lady in the movie of my life
0 -
I have had this before myself on a number of my domains. What happened then was that Spammers where using my address in the reply-to field and sending out thousands of spam emails. Obviously they do not check the emails they send to so a large number are returned as undeliverable, hence the emails you got. Whilst this is very very annoying with my domain it only lasted 2 weeks before they gave up using mine and moved on.
A couple of things to check, does your ISP's SMTP server require authentication, if so thi smeans that they will be sending from another IP and you should be safe from being blocked by spam filters.If it is not get them to arrange this asap.
Do you have a catch-all email address? If so switching this off for a few days can help as it will bounce any replys that are not specific to your email back.
Its a horrible feeling knowing that your name\companys name is being used like this but fingers crossed it will go away soon.The only way of finding the limits of the possible is by going beyond them into the impossible.
Arthur C. Clarke0 -
Hi Dime,
No I don't have a catch all email address - I have them tied down to specific ones - heaven help me if I did! I'm not sure about authentication etc. But, rest assured, I'll be on the phone to my ISP first thing tomorrow morning! (They only offer support from 08:00 - 22:00 Mon - Fri)
I've just had another flurry of them come in - same type of thing. Over the last half hour I've had just over five thousand of them. They're still coming in but at a less rapid rate than at the beginning of the last half hour...I am the leading lady in the movie of my life
0 -
To find out about SMTP authntication just check your settings in your email client.
Good Luck.The only way of finding the limits of the possible is by going beyond them into the impossible.
Arthur C. Clarke0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.3K Banking & Borrowing
- 253.2K Reduce Debt & Boost Income
- 453.7K Spending & Discounts
- 244.2K Work, Benefits & Business
- 599.4K Mortgages, Homes & Bills
- 177.1K Life & Family
- 257.7K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards