Summary and Impact to Customers
On Thursday 12th May 2016, SYNAQ Secure Mail experience a degraded performance incident from 12h20 until 16h04.
The impact of the event resulted in up to a 3 hour delays of mail on the SYNAQ Secure Mail platform between 12h24 to 16h04.
Root cause and Solution
The root cause of this event was a distributed denial of service attack on the SYNAQ Securemail environment. At 10h00 the platform was hit again by the spoof attackers where hundreds of thousands of emails from thousands of different IP addresses were sent to the platform.
The attack was greater than the attack of the previous day with the spoofers sending two mails per IP address and coming from hundreds of different unique IP addresses from the IP’s that were blocked the previous day. The attachment was also constantly being changed to have different names ensuring there was no commonality between all the mails.
The platform blocked these messages from reaching the intended recipients ensuring no compromised spoofed mails with Malicious Malware was received by the end users and ensuring the protection of the SYNAQ Securemail client base.
With these messages being blocked however bounce messages were sent back indicating the message was not delivered. With the continuous attack the bounces served to double the email load on the platform from this particular attack.
The new IP addresses were blocked at a network level which prevented mail coming from these IP addresses being processed by the platform. A patch was released to prevent bounce backs from reaching recipients and this halved the load on the platform. All spoofed mail from these spoofers were deleted from the queues.
The above measures allowed for the platform to regain stability and work through the backlog.
Over 60 000 additional addresses have been blocked from sending mails to the platform as part of this spoofing attack
A patch has been released to prevent bounce backs going to users who mails to themselves containing malicious content