2.99.55 caused DoS attack

[Roy Bixler <rcb@ucp.uchicago.edu>]

My day today has been rather "interesting" so far.  Campus networking
twice had to disable the network port for our Z-Mailer 2.99.55 mail
server due to DoS attack on their name servers.  The first time, I had
already concluded that a transport agent was responcible.  It was
trying to resolve an MX to mx0.onemustfall.com and making constant
queries to the DNS to do that.  It was most likely a piece of bounced
spam and certainly onemustfall.com has defective DNS records, but it's
equally a mystery why it would cause the transport agent to bomb our
DNS servers.  In the interest of getting our mail server back on the
network as soon as possible, I deleted all the spam from the
postoffice.  After re-starting Z-Mailer, the problem was solved.

The system is running Debian woody on x86 with Linux
v. 2.4.19-pre7aa1.  The ZMailer is the 2.99.55-3 Debian packaging, but
looking at the Debian patches, no significant changes were made to
ZMailer source code to produce the package.  One other interesting
note is that I had 3 nameserver entries in my /etc/resolv.conf file
and our campus DNS people were complaining that, in addition to the
DoS attack, DNS queries were going out to all 3 nameservers at once.

In the aftermath, I configured a BIND9 caching DNS server on localhost
and added a special route for messages to the 'onemustfall.com' domain:

.onemustfall.com    bitbucket!

If it would be useful for debugging, I could try to dig up the exact
message causing the problem.  Even better, hopefully this bug has been
fixed already and my problem is running an old version of ZMailer.

TIA,

-- 
Roy Bixler <rcb@ucp.uchicago.edu>
The University of Chicago Press
-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi