>From "Louis T. Chmielewski" <chmielewskil @
subway .
com> :
>To: <firewalls @
GreatCircle .
com>
>Subject: Tracking down the sender of an email...
>
>Hello all,
> I'm relatively new to the security game, but I'm learning. We recently
>had someone 'mail bomb' us with about 500 messages. I'd like to track it
>down, but it looks like the sender used an Anonymous mailer. Can someone
>tell me how to look at the header of the messages and determine where it
>came from, ......................?
Look at the Received: headers for hostnames and IP addresses of any relays
involved. Realize however that some of them may be forged or spoofed to
provide red herrings.
If you are running Sendmail or another MTA and have the real FQDN and/or
IP address logged (ie. to /var/log/syslog on your external mailhost
and/or as part of the Received: header on the message) they you should
be able to get the name and/or IP address of the host which was the
final link in the chain (the one which relayed it to you). You'll then
have to work backwards from there (contact the admin at the host which
passed the message to you and see if they can trace the message back to
the previous hop -- hint:
they should be able to trace the message by its Message-ID header).
>........., and who really sent it?
This may or may not be possible depending on how good at being anonymous
the sender was. I have seen forgeries where the forger talked SMTP to
sendmail on the localhost (with '/usr/lib/sendmail -bs ') or was unaware
that the Unix host they were on was running 'identd' and their account
name on the local machine was logged by the relaying SMTP agent.
But someone using an anonymous machine talking SMTP to an anonymous
relay machine could easily avoid leaving any trace of their activity.
>Also, how can I avoid this 'situation' in the future?
1. Sendmail V8
Sendmail version 8 has some anti-spam provisions which can also help in
an e-mail-bombing attack ( http://www.sendmail.org/antispam.html ):
- It can prevent the use of your SMTP MTA as a relay
between Internet hosts.
- It can refuse SMTP connections from known bad relay hosts.
- It can insist that the hostnames listed in sender
e-mail addresses actually exist (ie. can be looked up in DNS).
- It can refuse messages from known bad e-mail addresses
(ie. a Bozo file).
2. Blocking at the IP or TCP level.
If you know the IP address of the relay host which is sending
you the "mail-bomb" messages you can (1) block it at your
Internet router or (2) via a 'wrapper' program (ie.
'tcp_wrapper', SMAP, etc.) front-ending your SMTP MTA
(sendmail, etc.). You can also (3) install a bad 'host' route
to the offending relay using the 'route' command on your
external mail server/receiver.
3. PMDF (http://www.innosoft.com/)
PMDF can track the number of SMTP connections and messages from
a certain site in a time period and cut them off if them detect
what seems to be a flooding attack (ie. 500 messages from a
bad-guy site in a few minutes).
I believe there is similar software installed at whitehouse.gov
which was mail-bombed in the spring of 96 and learned how to
deal with it.
There are probably other commercial packages which record state
information and attempt to recognize mail-bombing attacks via
parameterized heuristics.
> TIA,
> Lou
>Louis T. Chmielewski
>Franchise World Heaquarters
>(203)877-4281 x1128
203-877-.... you must be in Milford, CT. Grew up there. Oh yeah, Subway
World Hqtrs.
- H. Morrow Long
|
|
