6.0.1CF Attacked - "Yana" non@non.no

HCL Domino Domino Forum
1

My domino server has about ten thousand messages awaiting to be routed from “Yana” non@non.no. My mailbox is 99% full of these with the other 1 percent being valid messages waiting to be delivered. What can I do to clear just the bad ones. What kind of attack is this? How can I gaurd against it? Here’s an example of my log from last night…

04/01/2003 03:43:47 AM Router: Message 00120142 not routed to recipient diman@russianet.ru for policy reasons

04/01/2003 03:43:47 AM Router: Policy Reason: Router: non@non.no is restricted from sending mail through server MAIL.MARKIIISYS.COM/MARKIII

04/01/2003 03:43:47 AM Router: Message 00120142 not routed to recipient diman@russianweb.com for policy reasons

04/01/2003 03:43:47 AM Router: Policy Reason: Router: non@non.no is restricted from sending mail through server MAIL.MARKIIISYS.COM/MARKIII

04/01/2003 03:43:47 AM Router: Message 00120142 not routed to recipient diman@russ-inc.msk.ru for policy reasons

04/01/2003 03:43:47 AM Router: Policy Reason: Router: non@non.no is restricted from sending mail through server MAIL.MARKIIISYS.COM/MARKIII

04/01/2003 03:43:47 AM Router: Message 00120142 not routed to recipient diman@russlavbank.com for policy reasons

04/01/2003 03:43:47 AM Router: Policy Reason: Router: non@non.no is restricted from sending mail through server MAIL.MARKIIISYS.COM/MARKIII

04/01/2003 03:43:47 AM Router: Message 00120142 not routed to recipient diman@russ-museum.spb.su for policy reasons

04/01/2003 03:43:47 AM Router: Policy Reason: Router: non@non.no is restricted from sending mail through server MAIL.MARKIIISYS.COM/MARKIII

04/01/2003 03:43:47 AM Router: Message 00120142 not routed to recipient diman@rust.net for policy reasons

04/01/2003 03:43:47 AM Router: Policy Reason: Router: non@non.no is restricted from sending mail through server MAIL.MARKIIISYS.COM/MARKIII

04/01/2003 03:43:47 AM Router: Message 00120142 not routed to recipient diman@rustock.msk.su for policy reasons

04/01/2003 03:43:47 AM Router: Policy Reason: Router: non@non.no is restricted from sending mail through server MAIL.MARKIIISYS.COM/MARKIII

04/01/2003 03:43:50 AM No route found to domain ruta.kharkov.ua. Check DNS configuration.

04/01/2003 03:43:52 AM No route found to domain ruta.rovno.ua. Check DNS configuration.

04/01/2003 03:43:54 AM No route found to domain ruth.kiev.ua. Check DNS configuration.

04/01/2003 03:43:54 AM Router: Message 00120142 not routed to recipient diman@ruzhimash.mordovia.su for policy reasons

04/01/2003 03:43:54 AM Router: Policy Reason: Router: non@non.no is restricted from sending mail through server MAIL.MARKIIISYS.COM/MARKIII

04/01/2003 03:43:55 AM No route found to domain r-vanpur.kharkov.ua. Check DNS configuration.

04/01/2003 03:43:55 AM Router: Message 00120142 not routed to recipient diman@rvh.khv.ru for policy reasons

04/01/2003 03:43:55 AM Router: Policy Reason: Router: non@non.no is restricted from sending mail through server MAIL.MARKIIISYS.COM/MARKIII

04/01/2003 03:43:55 AM SMTP Server: Remote host 64.32.48.104 (mx04.speediservices.com) found in DNS blacklist at sbl.spamhaus.org

04/01/2003 03:43:55 AM SMTP Server: Message from 64.32.48.104 (mx04.speediservices.com) rejected by DNS blacklist filter

04/01/2003 03:43:55 AM SMTP Server: mx04.speediservices.com (64.32.48.104) connected

04/01/2003 03:43:57 AM No route found to domain rvv.odessa.ua. Check DNS configuration.

04/01/2003 03:43:58 AM No route found to domain rwicc.krasnoyarsk.su. Check DNS configuration.

04/01/2003 03:44:01 AM No route found to domain rwld.rnd.su. Check DNS configuration.

04/01/2003 03:44:01 AM Router: Message 00120142 not routed to recipient diman@ryazan.su for policy reasons

04/01/2003 03:44:01 AM Router: Policy Reason: Router: non@non.no is restricted from sending mail through server MAIL.MARKIIISYS.COM/MARKIII

04/01/2003 03:44:01 AM Router: Message 00120142 not routed to recipient diman@rybvod.kamchatka.su for policy reasons

04/01/2003 03:44:01 AM Router: Policy Reason:

04/01/2003 04:38:46 AM Router: No messages transferred to ISOURCE.IBM.COM (host ISOURCE.IBM.COM) via SMTP

04/01/2003 04:40:41 AM Router: Transferred 105 messages to NON.NO (host mail2.agdernett.NO) via SMTP

04/01/2003 04:42:45 AM Router: No messages transferred to ISOURCE.IBM.COM (host ISOURCE.IBM.COM) via SMTP

04/01/2003 04:43:39 AM Router: Transferred 84 messages to NON.NO (host mail2.agdernett.NO) via SMTP

04/01/2003 04:48:59 AM Router: Transferred 1 messages to ISOURCE.IBM.COM (host ISOURCE.IBM.COM) via SMTP

04/01/2003 04:50:01 AM SAV ERROR: Unable to start LiveUpdate process.

04/01/2003 04:50:04 AM Router: Transferred 112 messages to NON.NO (host mail2.agdernett.NO) via SMTP

04/01/2003 04:54:13 AM Router: No messages transferred to ISOURCE.IBM.COM (host ISOURCE.IBM.COM) via SMTP

04/01/2003 04:55:13 AM Router: Transferred 102 messages to NON.NO (host mail2.agdernett.NO) via SMTP

04/01/2003 04:58:35 AM Router: No messages transferred to ISOURCE.IBM.COM (host ISOURCE.IBM.COM) via SMTP

04/01/2003 04:59:30 AM Router: Transferred 81 messages to NON.NO (host mail2.agdernett.NO) via SMTP

04/01/2003 05:00:57 AM Starting update of database usage statistics

04/01/2003 05:03:41 AM Finished updating usage statistics

04/01/2003 05:04:24 AM SMTP Server [0A98:001E-1088] Mail from adfinneyx1@yemenmail.com rejected for policy reasons. Sender is denied in your configuration.

04/01/2003 05:05:39 AM Router: No messages transferred to ISOURCE.IBM.COM (host ISOURCE.IBM.COM) via SMTP

04/01/2003 05:07:32 AM Router: Transferred 93 messages to NON.NO (host mail2.agdernett.NO) via SMTP

04/01/2003 05:08:15 AM SMTP Server [0A98:001E-02BC] Mail from abernatx1@yemenmail.com rejected for policy reasons. Sender is denied in your configuration.

04/01/2003 05:13:01 AM Router: No messages transferred to ISOURCE.IBM.COM (host ISOURCE.IBM.COM) via SMTP

04/01/2003 05:14:19 AM SMTP Server [0A98:001E-1088] Mail from abiliox1@yemenmail.com rejected for policy reasons. Sender is denied in your configuration.

04/01/2003 05:14:34 AM Router: Transferred 148 messages to NON.NO (host mail2.agdernett.NO) via SMTP

04/01/2003 05:17:09 AM Router: No messages transferred to ISOURCE.IBM.COM (host ISOURCE.IBM.COM) via SMTP

04/01/2003 05:17:50 AM Admin Process: Searching Administration Requests database

04/01/2003 05:18:14 AM Router: Transferred 111 messages to NON.NO (host mail2.agdernett.NO) via SMTP

What can I do… HELP!lol

Jason

2

Subject: 6.0.1CF Attacked - “Yana” non@non.no

My company was an open relay under 4.6 – we just upgraded to 6.01 and have stopped these attacks – the best documentation I’ve come across on what this is and how to stop it is the redbook on Spam – I think it was written at the end of Jan (so the material is up to date) and theres a whole section on how to stop relaying and prevent these attacks – BTW, its very easy to do with Notes 6.

3

Subject: 6.0.1CF Attacked - “Yana” non@non.no

Hi,

Notes databases are not like HDD. 99% full does not mean that there is no more space.

It seems that your server is mail relay open.

See Matt Chant’s posting “RE: Has anyone managed SMTP Relay controls to work?”

tony

4

Subject: 6.0.1CF Attacked - “Yana” non@non.no

I Think your server is relaying e-mail. Check the configuration document!