Help! My web site is attacked by hackers!

[Swede]

Anyone out there an armchair hacker who can help me? My innocent and innocuous hobby web site, 5bears.com, has been under attack and I am threatened with suspension by my hosting service.

The attack is called a "Dictionary Attack". Apparently, the server gets thousands of emails to the domain by an automated system that uses a dictionary to create massive bandwidth. It seems to be all email-based.

If I eliminate any mail service (or have lunarpages block the ports), do you guys think this will help? I am so frustrated. Why can't these punks target blogs or political sites? :frown:

[CNCadmin]

Read this - http://www.cs.virginia.edu/~csadmin/...rute_force.htm

Does your host provider not have a firewall?

[fyffe555]

Swede,

I might be able to help.

You're target for a system that goes through a list of domain names searching for valid or responsive email addresses. The attack will stop once the specified volume of mail is sent, usually a few hours. This attack is somewhat different to the brute force attack that targets http passwords and not email addresses.

A dictionary attack on an email server, as opposed to web password access consists of spammers generating apparently random addresses (xxxx@5bears.com) using a predifined list of words or commonly used email address names (a ‘dictionary’) for a particular domain (5bears.com) and sending email to them.

Those that bounce back as invalid are purged; those that don’t bounce - ie message accepted by the mail server as a good address will be assumed to be active and added to a list of ‘good’ addresses and subsequently used as a target for spam, sold to spammers, or if the server is open relay used to bounce spam.

A variation sends an smtp specific validation request so theres no email but requires a known and published email server to do so. Not commonly used for this attack as its easy to locate the source and action can easily be taken.

This is a common attack, easily identifiable and the process and resolutions are well known. In other words your provider should identify the attack and know what to do about it without threatening you or your service - assuming they host your email server and you're not running your own pop/smtp server locally.

the attacks are emails sent to the email server defined in the mx record for your domain, hosted by your provider. The system(s) sending them are probably forging the headers to show various sender and return addresses *BUT* the sending IP cannot be so easily spoofed. Your provider can (should) easily put a filter on to block email from the sending IP address without affecting your other mail. This is a specific block of a sending IP address, usually before it enters the smpt server. The IP addresses to be blocked are derived from a simple view of headers from some of the messages received and/or bounced. An alternative is to put a reverse DNS test on each incoming mail which checks the sener/return domain against the sending IP. Finally your providor should be able to limit the number of emails received from any IP in a given period - so stopping the thing slowing down the server.

Even if your providor doesn't do any of this then the problem should soon go away as the list is exhausted. look to see if any unusual mails have been received in this period and this could be an indication that the addresses have been farmed..

hth

Andrew

[RotarySMP]

Swede, Someone is probably trying to tell you that they are desparately waiting for your next update

[Swede]

Everyone, especially Andrew, thanks for your replies. My web hosting service (Lunarpages) has generally been very helpful and responsive, but this is the third dictionary attack in the last 2 months, and it seems that there is something malicious going on. I'll post again when I find a resolution.

[KrispyLlama]

This problem does suck but to help prevent this never type your email address online, use a java code or unicode version. This way when the bots that scan for address looks at yours it sees it as random nonsence. Just do a google search for unicode email and you should find the tool online to convert you address to unicode. This has worked for me.

[WoodSnarfer]

On my account (affordablehost), there is a setting that says "what do you want me to do with mail that is sent to xxx.domain-name.com, if a valid email account does not exist?" The choices are to either reject the mail, or send it to a 'catcher' email id. I had it use the 'catcher' for awhile, but the spam was intolerable -- so I set it to 'reject'. Never had a problem since.

-Chris

[Swede]

Update - the dictionary attack worked something like this... Some clod would set up a system to email, in rapid sequence, nonsense like

aardvark@swedesdomain.com
abacus@swedesdomain.com
....
zygote@swedesdomain.com

The rapid flow of B.S. spiked the CPU and bandwidth. I actually volunteered to shut down my POP mail server for as long as it took for the attacks to cease. My host said they'd do this. The attack terminated, yet my email still works, so I'm not sure exactly what happened.

I'll cross my fingers and hope.

[hackware]

if you still have problems with your isp and/or dos attacks...

i'll host your site (free)...

i owned/built/operated an isp company for 8 years, with 17 web stores,

a couple of which were "yahoo site of the day", and was never cracked...

(oh they tried)...

anyway, i'm not on a large bandwidth connection,

but will host you if it will help...