[SGVLUG] I'm being attacked by an email flood from kernel.org

David Lawyer dave at lafn.org
Thu Apr 20 11:47:17 PDT 2006 

This thread is about David Lawyer's mailbox being flooded by bounces
from Majordomo at vger.kernel.org (Linux kernel organization).  The
bounces are nonsense requests from a PC (in Russia ?) sent to
Majordomo at vger.kernel.org with David's email address spoofed as
"From:".  Since the request makes no sense, Majordomo sends back an
error message to the "sender" along with a copy of it's instruction
sheet.  In effect, Majordomo at vger.kernel.org is acting like a relay
for an email flood from an infected PC in Russia (or thereabouts).
The originating email address (in Russia ?) doesn't appear in the
bounced message so it's like a relay that strips off the routing prior
to the relay (the route from Russia to kernel.org).

> On Mon, Apr 17, 2006 at 12:04:57PM -0700, Emerson, Tom wrote:
> > -AND- is "spoofing" the return address as
> > /some other address/ found on that system.  In short, David needs to
> > find someone with an infected system that has both his e-mail AND the
> > kernel.org end-user management e-mail address.
> 
On Wed, Apr 19, 2006 at 12:44:35AM -0700, David Lawyer wrote:
> Right.  The easiest way is for someone at kernel.org to find out where
> they are coming from and complain to the ISP, etc (or as a last
> resort, just block them). 

I finally got a response from a postmaster at kernel.org.  They found
records of the flood (so it was coming from them) and took the easy
way out: they are sending all such floods to /dev/null instead of to
me (i.e. they are "blocking" them).  Problem solved as far as I'm
concerned.  But the flood is continuing to flow into
Majordomo at vger.kernel.org and it's now their problem.

Thanks to everyone for their suggestions.  Some of them helped.

			David Lawyer

> I've used grep to get a listing of the time stamps when Majordomo
> emailed me.  They are almost all in the morning and spaced a couple of
> minutes apart.  When I said several seconds I was wrong and may have
> been looking at the time stamp when it was sent to my PC by fetchmail
> after having set for hours at my mailbox at my ISP.  Now there are
> periods of hours when there is no activity (no email from Majordomo is
> sent to me).  So it does look like it's coming from an infected PC.
> Why do they email me mostly in the morning (actually from 0000
> to 1500 Eastern Savings Time).  Simple.  The location is in Russia (or
> thereabouts: Iran, Iraq, etc.)

More information about the SGVLUG mailing list