In my humble opinion it looks like something at your mail server. 198.108.1.26 is trapdoor.merit.edu , their mail server, which appears to be re-sending the original 10 Jul mail. The original hit their mail server 10 Jul. This copy was forwarded to your XXX (is this the actual header or are you protecting the innocent?) on 12 Jul. Your work mail server may not be properly acknowledging receipt of the list mail so Merit's server continues to re-send (for the default 4 days?) until the resend TTL. A trace to 165.135.0.253 dies at 500.Serial2-2.GW1.HNL2.ALTER.NET so I'm not sure what's hanging there but I'd look at your mail agent configuration. A second possibility is some non-standard character in your work mail address. You don't say what it is but if there is a character in it that is benign on your system but meaningful to Merit's mail system, there may be a problem. I've been the victim of a similar "attack" in the past as a result of the _ in my address. Just my 2¢ -Al -----Original Message----- From: Robert Cannon [mailto:rcannon101@yahoo.com] Sent: Thursday, July 12, 2001 1:46 PM To: nanog@merit.edu Subject: Speaking of DDoS attacks Speaking of DDOS attacks, there seems to be one going on associated with the NANOG list. I was wondering if anyone could offer insite. At my work address, I have received the same email from NANOG about every 10 - 15 minutes. I have received hundreds of copies of this email. Yet at this address I do not receive the repeated copies (and no one else on the list appears to have complained). If I look at the header of the email, the last hop, if I am reading it correctly, is named "zombie.la.interpacket.net" by mrbig.la.interpacket.net. I have since unsubscribed from NANOG from my work address yet still receive the emails. Also, this has been going on for over a week (since a rule filters all my nanog email into a folder, it has not bothered me too much) - every few days, the email that I am repeatedly hit with changes. Currently, the email I am being hit with is "OT: The End of Empire." Below I have pasted the header of the email I would be curious to hear people's thoughts about this. Is this a type of a DDOS? Anyone familiar with it? -B Received: from XXXX ([165.135.0.253]) by XXXX; Thu, 12 Jul 2001 16:01:40 -0400 Received: by XXXX; id QAA14070; Thu, 12 Jul 2001 16:01:38 -0400 (EDT) Received: from unknown(198.108.1.26) by XXXX via smap (V5.5) id xmaa13982; Thu, 12 Jul 01 16:00:42 -0400 Received: by trapdoor.merit.edu (Postfix) id BB70F91231; Tue, 10 Jul 2001 14:35:31 -0400 (EDT) Delivered-To: nanog-outgoing@trapdoor.merit.edu Received: by trapdoor.merit.edu (Postfix, from userid 56) id 896EB91251; Tue, 10 Jul 2001 14:35:31 -0400 (EDT) Delivered-To: nanog@trapdoor.merit.edu Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by trapdoor.merit.edu (Postfix) with ESMTP id 83A3791231 for <nanog@trapdoor.merit.edu>; Tue, 10 Jul 2001 14:35:29 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 79E335DE1A; Tue, 10 Jul 2001 14:36:58 -0400 (EDT) Delivered-To: nanog@merit.edu Received: from bond.interpacket.net (us-la-gate.interpacket.net [209.198.223.250]) by segue.merit.edu (Postfix) with SMTP id ECF9A5DDD8 for <nanog@merit.edu>; Tue, 10 Jul 2001 14:36:57 -0400 (EDT) Received: (qmail 31855 invoked from network); 10 Jul 2001 18:35:43 -0000 Received: from mrbig.la.interpacket.net (192.168.6.5) by bond.la.interpacket.net with SMTP; 10 Jul 2001 18:35:42 -0000 Received: from [192.168.4.53] (zombie.la.interpacket.net [192.168.4.53]) by mrbig.la.interpacket.net with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id N6TNP8LB; Tue, 10 Jul 2001 11:39:32 -0700 Mime-Version: 1.0 X-Sender: mikey@popmail.la.interpacket.net Message-Id: <a05010406b770fb74762d@[192.168.4.53]> Date: Tue, 10 Jul 2001 11:35:52 -0700 To: nanog@merit.edu From: Mikey Wilsker <mikey@interpacket.net> Subject: OT: The End of Empire Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-nanog@merit.edu Precedence: bulk Errors-To: owner-nanog-outgoing@merit.edu X-Loop: nanog __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/
Merit uses Postfix.. A workaround was recently added to Postfix which breaks up lines over 2048 bytes, as some Mickeysoft MTAs stop responding when Postfix delivers mail with large lines in them. Without this patch, Postfix will keep resending until it gives up. On Thu, 12 Jul 2001, Rowland, Alan D wrote: | | In my humble opinion it looks like something at your mail server. | | 198.108.1.26 is trapdoor.merit.edu , their mail server, which appears to be | re-sending the original 10 Jul mail. | | The original hit their mail server 10 Jul. This copy was forwarded to your | XXX (is this the actual header or are you protecting the innocent?) on 12 | Jul. | | Your work mail server may not be properly acknowledging receipt of the list | mail so Merit's server continues to re-send (for the default 4 days?) until | the resend TTL. | | A trace to 165.135.0.253 dies at 500.Serial2-2.GW1.HNL2.ALTER.NET so I'm not | sure what's hanging there but I'd look at your mail agent configuration. | | A second possibility is some non-standard character in your work mail | address. You don't say what it is but if there is a character in it that is | benign on your system but meaningful to Merit's mail system, there may be a | problem. | | I've been the victim of a similar "attack" in the past as a result of the _ | in my address. | | Just my 2� | | -Al | | -----Original Message----- | From: Robert Cannon [mailto:rcannon101@yahoo.com] | Sent: Thursday, July 12, 2001 1:46 PM | To: nanog@merit.edu | Subject: Speaking of DDoS attacks | | | | Speaking of DDOS attacks, there seems to be one going | on associated with the NANOG list. I was wondering if | anyone could offer insite. | | At my work address, I have received the same email | from NANOG about every 10 - 15 minutes. I have | received hundreds of copies of this email. Yet at | this address I do not receive the repeated copies (and | no one else on the list appears to have complained). | If I look at the header of the email, the last hop, if | I am reading it correctly, is named | "zombie.la.interpacket.net" by | mrbig.la.interpacket.net. I have since unsubscribed | from NANOG from my work address yet still receive the | emails. Also, this has been going on for over a week | (since a rule filters all my nanog email into a | folder, it has not bothered me too much) - every few | days, the email that I am repeatedly hit with changes. | Currently, the email I am being hit with is "OT: The | End of Empire." | | Below I have pasted the header of the email | | I would be curious to hear people's thoughts about | this. Is this a type of a DDOS? Anyone familiar | with it? | | -B | | | Received: from XXXX | ([165.135.0.253]) | by XXXX; Thu, 12 Jul 2001 16:01:40 -0400 | Received: by XXXX; id QAA14070; Thu, 12 Jul 2001 | 16:01:38 -0400 (EDT) | Received: from unknown(198.108.1.26) by XXXX via smap | (V5.5) | id xmaa13982; Thu, 12 Jul 01 16:00:42 -0400 | Received: by trapdoor.merit.edu (Postfix) | id BB70F91231; Tue, 10 Jul 2001 14:35:31 -0400 (EDT) | Delivered-To: nanog-outgoing@trapdoor.merit.edu | Received: by trapdoor.merit.edu (Postfix, from userid | 56) | id 896EB91251; Tue, 10 Jul 2001 14:35:31 -0400 (EDT) | Delivered-To: nanog@trapdoor.merit.edu | Received: from segue.merit.edu (segue.merit.edu | [198.108.1.41]) | by trapdoor.merit.edu (Postfix) with ESMTP id | 83A3791231 | for <nanog@trapdoor.merit.edu>; Tue, 10 Jul 2001 | 14:35:29 -0400 (EDT) | Received: by segue.merit.edu (Postfix) | id 79E335DE1A; Tue, 10 Jul 2001 14:36:58 -0400 (EDT) | Delivered-To: nanog@merit.edu | Received: from bond.interpacket.net | (us-la-gate.interpacket.net [209.198.223.250]) | by segue.merit.edu (Postfix) with SMTP id ECF9A5DDD8 | for <nanog@merit.edu>; Tue, 10 Jul 2001 14:36:57 | -0400 (EDT) | Received: (qmail 31855 invoked from network); 10 Jul | 2001 18:35:43 -0000 | Received: from mrbig.la.interpacket.net (192.168.6.5) | by bond.la.interpacket.net with SMTP; 10 Jul 2001 | 18:35:42 -0000 | Received: from [192.168.4.53] | (zombie.la.interpacket.net [192.168.4.53]) by | mrbig.la.interpacket.net with SMTP (Microsoft Exchange | Internet Mail Service Version 5.5.2653.13) | id N6TNP8LB; Tue, 10 Jul 2001 11:39:32 -0700 | Mime-Version: 1.0 | X-Sender: mikey@popmail.la.interpacket.net | Message-Id: <a05010406b770fb74762d@[192.168.4.53]> | Date: Tue, 10 Jul 2001 11:35:52 -0700 | To: nanog@merit.edu | From: Mikey Wilsker <mikey@interpacket.net> | Subject: OT: The End of Empire | Content-Type: text/plain; charset="us-ascii" ; | format="flowed" | Sender: owner-nanog@merit.edu | Precedence: bulk | Errors-To: owner-nanog-outgoing@merit.edu | X-Loop: nanog | | | __________________________________________________ | Do You Yahoo!? | Get personalized email addresses from Yahoo! Mail | http://personal.mail.yahoo.com/ | --- Rev. Chris Cappuccio http://www.dqc.org/~chris/
participants (2)
-
Rev. Chris Cappuccio -
Rowland, Alan D