DDOS, wierdness, help!
From: ward (ward_at_discussions.microsoft.com)
Date: 01/13/05
- Next message: Andy David - Exchange MVP: "Re: "Run Autoarchive every X days" is Grayed out"
- Previous message: Boris Lokhvitsky: "Re: Disabling a user account"
- Next in thread: Lanwench [MVP - Exchange]: "Re: DDOS, wierdness, help!"
- Reply: Lanwench [MVP - Exchange]: "Re: DDOS, wierdness, help!"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 12 Jan 2005 18:01:02 -0800
log excerpt below...
this client has only has 50 users, and minimal legitimate email traffic.
long story short, they are running 100% of a t1, and its all smtp
going to bogus addresses. i'm putting in connection filters on the default
smtp server for addresses, but its insane. i decided to just block huge
chunks of class A addresses I know we don't need mail from. 200.x.x.x, 201,
202,203, 218,219,220,221/8 all blocked. plus more, but there is always 100
current sessions, some that have been connected for 600 seconds!
i figure we can't just change ip, because logs show clearly going to
(at)famecoretail dot com (our domain).
Its exchange 2000, all patches, any recommendations would be great. We have
business critical support but i don't have time to call for a few days.
Here's the log. thanks, ward
#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2005-01-12 03:09:57
#Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port
cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes
cs-bytes time-taken cs-version cs-host cs(User-Agent) cs(Referer)
2005-01-12 03:09:57 212.217.25.23 ll212-23-25-217-212.ll212.iam.net.ma
SMTPSVC1 FAMECO04 192.168.42.15 0 RCPT - +TO:+<richter@famecoretail.com> 250
0 37 35 0 SMTP - - -
#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2005-01-12 03:09:59
#Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port
cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes
cs-bytes time-taken cs-version cs-host cs(User-Agent) cs(Referer)
2005-01-12 03:09:59 212.217.25.23 ll212-23-25-217-212.ll212.iam.net.ma
SMTPSVC1 FAMECO04 192.168.42.15 0 RCPT - +TO:+<rick_white@famecoretail.com>
250 0 40 38 15 SMTP - - -
2005-01-12 03:09:59 128.211.144.161 ispchannel.com SMTPSVC1 FAMECO04
192.168.42.15 0 HELO - +ispchannel.com 250 0 51 19 0 SMTP - - -
2005-01-12 03:10:01 212.217.25.23 ll212-23-25-217-212.ll212.iam.net.ma
SMTPSVC1 FAMECO04 192.168.42.15 0 RCPT - +TO:+<ricks@famecoretail.com> 250 0
35 33 0 SMTP - - -
2005-01-12 03:10:04 128.211.144.161 ispchannel.com SMTPSVC1 FAMECO04
192.168.42.15 0 MAIL - +FROM:+<blipford@ispchannel.com> 250 0 48 36 0 SMTP -
- -
2005-01-12 03:10:08 128.211.144.161 ispchannel.com SMTPSVC1 FAMECO04
192.168.42.15 0 RCPT - +TO:+<affrays@famecoretail.com> 250 0 37 35 0 SMTP - -
-
2005-01-12 03:10:08 221.239.67.166 aol.com SMTPSVC1 FAMECO04 192.168.42.15 0
EHLO - +aol.com 250 0 334 12 0 SMTP - - -
2005-01-12 03:10:08 213.37.57.136 136.red-213-37-57.user.auna.net SMTPSVC1
FAMECO04 192.168.42.15 0 HELO - +136.red-213-37-57.user.auna.net 250 0 49 36
0 SMTP - - -
2005-01-12 03:10:09 221.239.67.166 aol.com SMTPSVC1 FAMECO04 192.168.42.15 0
MAIL - +FROM:+<blancaboyceiw@bee-team.demon.co.uk> 250 0 59 47 16 SMTP - - -
2005-01-12 03:10:09 221.239.67.166 aol.com SMTPSVC1 FAMECO04 192.168.42.15 0
RCPT - +TO:+<allying@famecoretail.com> 250 0 37 35 0 SMTP - - -
2005-01-12 03:10:09 221.239.67.166 aol.com SMTPSVC1 FAMECO04 192.168.42.15 0
RCPT - +TO:+<ahay@famecoretail.com> 250 0 34 32 0 SMTP - - -
2005-01-12 03:10:09 221.239.67.166 aol.com SMTPSVC1 FAMECO04 192.168.42.15 0
RCPT - +TO:+<ahayden@famecoretail.com> 250 0 37 35 0 SMTP - - -
2005-01-12 03:10:09 221.239.67.166 aol.com SMTPSVC1 FAMECO04 192.168.42.15 0
RCPT - +TO:+<anahau@famecoretail.com> 250 0 36 34 0 SMTP - - -
2005-01-12 03:10:09 221.239.67.166 aol.com SMTPSVC1 FAMECO04 192.168.42.15 0
RCPT - +TO:+<ampung@famecoretail.com> 250 0 36 34 0 SMTP - - -
2005-01-12 03:10:09 221.239.67.166 aol.com SMTPSVC1 FAMECO04 192.168.42.15 0
RCPT - +TO:+<ampyx@famecoretail.com> 250 0 35 33 0 SMTP - - -
2005-01-12 03:10:09 213.37.57.136 136.red-213-37-57.user.auna.net SMTPSVC1
FAMECO04 192.168.42.15 0 MAIL - +FROM:+<TCBTEQQYcoincident@a-city.de> 250 0
53 41 0 SMTP - - -
2005-01-12 03:10:10 213.37.57.136 136.red-213-37-57.user.auna.net SMTPSVC1
FAMECO04 192.168.42.15 0 RCPT - +TO:+<hamlet@famecoretail.com> 250 0 36 34 0
SMTP - - -
2005-01-12 03:10:10 213.37.57.136 136.red-213-37-57.user.auna.net SMTPSVC1
FAMECO04 192.168.42.15 0 RCPT - +TO:+<halton@famecoretail.com> 250 0 36 34 0
SMTP - - -
2005-01-12 03:10:12 211.220.165.163 66.255.8.11 SMTPSVC1 FAMECO04
192.168.42.15 0 HELO - +66.255.8.11 250 0 51 16 0 SMTP - - -
- Next message: Andy David - Exchange MVP: "Re: "Run Autoarchive every X days" is Grayed out"
- Previous message: Boris Lokhvitsky: "Re: Disabling a user account"
- Next in thread: Lanwench [MVP - Exchange]: "Re: DDOS, wierdness, help!"
- Reply: Lanwench [MVP - Exchange]: "Re: DDOS, wierdness, help!"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
