Mail7 11.15.2007

[Infinitation]

Status report? Is there anyone available to post a quick reply as to where we are at with the issue? My clients have been without e-mail for an entire day and my frustration level with not having an acceptable answer for them is growing.

Today's problems with mail7 were due to a DDoS attack against the mail services (actually only port 25) on that machine.

Being that the attack is generating valid TCP connections, and sending valid (in TCP terms) data it is *very* hard to mitigate. Being that its not a standard synflood, the syn proxy methods had little avail.

I am seeing over 2000 uniq IP connections per second. I estimate the machines in this botnet to be well over 40K, since my state table stays between 30K-40K all the time.

Trust we are doing everything possible to get through this attack.

[Infinitation]

No doubt there and thanks for the update, is this going to be resolved by the morning?

[elbuentrovas]

Finally someone responds... That's all we ask.

Thank you Aaron.

[citywebsystems]

Thanks Aaron! Good luck.

[dvanburen]

The attack seems to have dropped off. If anyone has problems sending AND receiving, please submit a ticket containing the public IP for the problematic computer.

[kapuwa]

FYI: accourding to tech support mail7 and mail8 is having the same issue again

Hey Folks,

Get into the habit of using port 2525 for outgoing SMTP to our servers. We have reached the point that larger ISP's reach with incomming SMTP. (Meaning a majority of incomming traffic from non UNIX hosts is spam, virii, etc). Its very simple for me to filter out traffic using passive OS fingerprinting. This was the major breakthrough last night in the attack.

So use port 2525 from now on at least on Mail7. Now you if happen to run *BSD, Linux, Solaris, etc you will not have a problem on port 25

[DustinStream]

Aaron, so the only thing we should do on our end right now to help out is to start switching any OUTGOING smtp connections of us or our clients to 2525, instead of 25, correct?

Three questions:

1) Only for mail7, or for any vortech mail servers?
2) No changes to incoming at all?
3) Will this change affect any of the php/asp mail scripts on web sites we have on your boxes, or are they fine?


Thank you very much for attention to this matter. It was a doozy, but I know its been your #1 priority to remedy, and I very much appreciate that.

-Dustin

Just for 7 for now.

No changed for incomming.

Scripts go though another mail server all together, no they will not be affected.

[DustinStream]

Here's a long shot.... is there any way in H-Sphere to see which clients are using Mail7? Or do I have to open up each account to see what mail server they are on?

Thanks,

Dustin

Use a site like dnsreport.com to look at the MX record. Or use dig, nslookup, etc on a UNIX like OS.

[DustinStream]

sorry, I meant was there a report in H-sphere that would list all of the client accounts by their mail server, thereby allowing me to not have to look at each individual domain in hsphere, dnslookup, etc.

With 60-70 sites to look and see if they're on mail7, it gets tedious. (of course, I'm doing now what I should have done a long time ago, and making a full database of that info on my end)

-Dustin

You can click the account ID, then click mail info from the CP.

[DustinStream]

Are we down again?