IP Networking

what is a "mailbomber?" and what is the purpose of posting their ip? Just curious, how do you know you are under attack? things slow down? want to know in case it ever happens to anyone i know, thanks

There may be some disagreement of terms here. To me, a mailbomber is someone who intentionally sends a lot of email to one or more carefully chosen victims. The victim can detect this by noting that his mailbox is full of trash from a single source.

This is different from a spammer, which is someone who sends an email message to every address that he can. A spammer actually would be delighted if every recipient loved the email. (Not at all likely though.) A mailbomber actually wants to be regarded as a problem and would be aghast if the mailbomb was somehow helpful.

Posting the ip address would probably be to invite retaliation. This might make more sense in the case of a spammer since the spammer has more victims. Also some people can block mail from a particular ip address, so it could be for defense.

You didn't ask for any advice here, but I feel that I must. Do not participate in or encourage any retaliation. You probably cannot be sure that the IP address is correct, and even if it is, nothing good will come from retaliation.

To know about 'what is a mail bomber', please refer to this published paper that explains it quite well:

http://www.silkroad.com/papers/pdf/i...mail-bombs.pdf

We post their IP because what they do is illegal and folks should be aware of the identity of these cyber-criminals.

We knew of the attack because of high server loads, viewing log files and confirming the identity of the mail bomber with lsof -i -n

Perderabo, I am sure of the IP address. TCP is a connection oriented protocol and has two end-points. This can be easily confirmed. You are mistaken when you say that the IP address of hackers (or their proxies) cannot be confirmed when connection-oriented protocols are used. You are correct that it is very difficult to identify them with connectionless protocols are used. SMTP is a TCP protocol.

As far as a comment on counter-actions. Let's see..... a nation-state like Korea or another country does criminal action against another nation-states assets. The identity is confirmed. Counter-actions are appropriate, but in this case I have already checked. The attacker was operating behind a firewall with all incoming services and ports blocks. You can scan the IP address yourself and see. This is not a rookie.... rookies make mistakes

We simply list the IP addresses of confirmed attackers because it is the right thing to do.

Actually, I know that you can be sure of the IP address. But not everyone has your level of knowledge. Or your honesty. Some people would post an IP address that they know wasn't involved just to generate problems.

Rather than compare these actions to a war, I see them as crimes. Heck, they are crimes. If someone takes a baseball bat and smashes in your windshield, I would also discourage you from reciprocating. Both parties could wind up in jail.

Hmmm...I gotta come in the front door once in a while. I usually bypass the menus. So I just noticed that announcement. I thought that this was a general thread. But I just saw that announcement so now I know what we're talking about.

Too bad announcements don't appear on the home page. I do look at that once in a while.

Yes, you are right, in this world of cyber-uncertainly, people must be very careful and have positive-ID when considering countermeasures against cyberattacks.

It is possible for an attacker to fake the originating address of an attack and an unknowing defender might take action against the completely wrong party.

In this particular attack; I have found about 5 IP addresses attacking the site and all are static, verifiable and all come from Korean address space. All are behind a firewall with one one open <1024 IP port... POP3...... seems more than a coincident when all attackers are from the Korean IP land and all the platforms are tightly locked down.....

Has any contact been made with the foreign ISP to verify that these attacks are not coming from servers that have been "owned" by an outside cracker?

It is interesting about the vernacular of mailbomber. In my experience back in the FidoNet days, a mailbomber was somebody who created a high recursed zip with the intent to take up space on the filesystem in an attempt of crashing the mail relay.