[7761] in bugtraq
Re: News DoS using sendsys
daemon@ATHENA.MIT.EDU (Nik Clayton)
Wed Aug 26 20:14:49 1998
Date: Wed, 26 Aug 1998 18:27:30 +0100
Reply-To: nik@III.CO.UK
From: Nik Clayton <nik@III.CO.UK>
X-To: Walter Hafner <hafner@in.tum.de>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <13795.55895.155103.975354@hprbg5.informatik.tu-muenchen.de>;
from Walter Hafner on Wed, Aug 26, 1998 at 11:50:15AM +0200
On Wed, Aug 26, 1998 at 11:50:15AM +0200, Walter Hafner wrote:
> I think we (a local ISP in Augsburg/Germany ...) are hit by an DoS that
> wasn't described here before:
>
> Our newsserver (INN) all of a sudden gets several 100 'sendsys' requests
> per day. The addresses of the people requesting the sendsys seem to be
> completely random. They all seem to be normal user-accounts. We see
> these sendsys requests for about a week now.
>
> Since our INN is configured to report all 'unusual' control messages to
> the news-administrators, rather than to execute it, the DoS doesn't hurt
> us very much. My Mailfolder now usually looks like:
>
> N 2 Aug 26 News Subsystem (74) sendsys by ktakamura@hootmall.com
> N 3 Aug 26 News Subsystem (53) sendsys by ritchie@pumpaloaf.dennon.
> N 4 Aug 26 News Subsystem (64) sendsys by ritchie@pumpaloaf.dennon.
> N 5 Aug 26 News Subsystem (64) sendsys by flaagg@not.valid.net
> N 6 Aug 26 News Subsystem (66) sendsys by ktakamura@hootmall.com
This looks like the actions of the "Meowers". I'm not totally up to speed
with their antics -- as far as I can gather they have been cross-posting
junk in to the newsgroup demon.local (which is propogated worldwide).
They've taken exception to recent actions by Demon (instigated by request
from some of Demon's customers) to fence off cross-posts to demon.local
that originated outside of Demon's newsservers. The use of 'dennon' in
the domain above is what tipped me off to this.
Since you're not linked with Demon (as far as I can tell) I'd guess that one
of your users/customers has made discouraging comments about the "Meowers"
(I have no idea why they chose that name) in the demon.local or demon.news
newsgroup, and the "Meowers" have decided to retaliate.
If you do a DejaNews search for
~g demon.news sendsys
you'll see some complaints from people saying they've been sendsys bombed
after expressing an opinion on this.
If you search for
~g demon.news sendsys ~a nthornley@dennon.co.uk
you'll find (at least) one message from Nigel Thornley, who purports to
be nthornley@dennon.co.uk. By looking at this message you should quickly
get an idea why some of us want the cross-posting stopped.
N
--
--+==[ Nik Clayton becomes Just Another Perl Contractor in 17 days. ]==+--
She's still dead. Deal with it.
