This is happenning to us all. It's not a DDoS attack, just a spammer spoofing addresses at your domain. ________________________
Zenon Panoussis writes: > > For weeks on end now I am being subjected to what I could call a reverse > spam DDoS attack for lack of better term. Some asshole is sending out > zillions of messages to non-existent users at legitimate domains, using > clearly non-existent sender addresses @myhosteddomain. It seems he is > specifically targetting backup MXs and spam filtering services because > the messages are first accepted for transport, then bounced. The bounces > create a storm of connections to my MX, which in turn causes courier > (0.55.1) to choke and stop receiving mail at all. > > This is what the log can look like immediately after a restart: > > Oct 22 13:56:16 courierd: Waiting. shutdown time=none, wakeup time=Mon Oct > 22 14:07:18 2007, queuedelivering=5, inprogress=1 > Oct 22 13:56:16 courieresmtpd: started,ip=[::ffff:195.25.12.12] > Oct 22 13:56:17 courieresmtpd: started,ip=[::ffff:66.173.214.66] > Oct 22 13:56:17 courieresmtpd: started,ip=[::ffff:208.41.143.163] > Oct 22 13:56:17 courieresmtpd: started,ip=[::ffff:72.248.85.228] > Oct 22 13:56:19 courieresmtpd: started,ip=[::ffff:213.255.87.136] > Oct 22 13:56:19 courieresmtpd: started,ip=[::ffff:58.211.213.223] > Oct 22 13:56:19 courieresmtpd: started,ip=[::ffff:216.70.235.117] > Oct 22 13:56:19 courieresmtpd: started,ip=[::ffff:217.41.15.123] > Oct 22 13:56:20 courieresmtpd: started,ip=[::ffff:12.183.242.88] > Oct 22 13:56:20 courieresmtpd: started,ip=[::ffff:199.2.119.53] > Oct 22 13:56:21 courieresmtpd: started,ip=[::ffff:66.9.136.67] > Oct 22 13:56:22 courieresmtpd: started,ip=[::ffff:68.164.193.20] > Oct 22 13:56:24 courieresmtpd: started,ip=[::ffff:61.36.155.66] > Oct 22 13:56:24 courieresmtpd: started,ip=[::ffff:66.142.164.118] > Oct 22 13:56:25 courieresmtpd: > error,relay=::ffff:195.25.12.12,from=<>,to=<[EMAIL PROTECTED]>: 550 User > unknown. > Oct 22 13:56:25 courieresmtpd: error,relay=::ffff:195.25.12.12,msg="502 ESMTP > command error",cmd: DATA > Oct 22 13:56:25 courieresmtpd: > error,relay=::ffff:66.173.214.66,from=<>,to=<[EMAIL PROTECTED]>: 550 User > unknown. > Oct 22 13:56:25 courieresmtpd: > error,relay=::ffff:208.41.143.163,from=<>,to=<[EMAIL PROTECTED]>: 550 User > unknown. > Oct 22 13:56:26 courieresmtpd: > error,relay=::ffff:72.248.85.228,from=<>,to=<[EMAIL PROTECTED]>: 550 User > unknown. > Oct 22 13:56:28 courieresmtpd: > error,relay=::ffff:217.41.15.123,from=<>,to=<[EMAIL PROTECTED]>: 550 User > unknown. > Oct 22 13:56:28 courieresmtpd: started,ip=[::ffff:82.119.204.237] > Oct 22 13:56:28 courieresmtpd: > error,relay=::ffff:216.70.235.117,from=<>,to=<[EMAIL PROTECTED]>: 550 User > unknown. > Oct 22 13:56:29 courieresmtpd: started,ip=[::ffff:193.168.140.69] > Oct 22 13:56:29 courieresmtpd: > error,relay=::ffff:12.183.242.88,from=<>,to=<[EMAIL PROTECTED]>: 550 User > unknown. > Oct 22 13:56:30 courieresmtpd: > error,relay=::ffff:66.9.136.67,from=<>,to=<[EMAIL PROTECTED]>: 550 User > unknown. > Oct 22 13:56:30 courieresmtpd: > error,relay=::ffff:199.2.119.53,from=<>,to=<[EMAIL PROTECTED]>: 550 User > unknown. > Oct 22 13:56:31 courieresmtpd: > error,relay=::ffff:58.211.213.223,from=<>,to=<[EMAIL PROTECTED]>: 550 User > unknown. > Oct 22 13:56:31 courieresmtpd: > error,relay=::ffff:68.164.193.20,from=<>,to=<[EMAIL PROTECTED]>: 550 User > unknown. > Oct 22 13:56:31 courieresmtpd: started,ip=[::ffff:207.229.32.131] > Oct 22 13:56:33 courieresmtpd: started,ip=[::ffff:213.246.40.46] > Oct 22 13:56:33 courieresmtpd: > error,relay=::ffff:66.142.164.118,from=<>,to=<[EMAIL PROTECTED]>: 550 User > unknown. > Oct 22 13:56:34 courieresmtpd: > error,relay=::ffff:61.36.155.66,from=<>,to=<[EMAIL PROTECTED]>: 550 User > unknown. > Oct 22 13:56:35 courieresmtpd: started,ip=[::ffff:216.167.161.4] > Oct 22 13:56:35 courieresmtpd: started,ip=[::ffff:66.49.172.69] > Oct 22 13:56:36 courieresmtpd: started,ip=[::ffff:66.225.112.70] > Oct 22 13:56:36 courieresmtpd: > error,relay=::ffff:82.119.204.237,from=<>,to=<[EMAIL PROTECTED]>: 550 User > unknown. > Oct 22 13:56:36 courieresmtpd: error,relay=::ffff:82.119.204.237,msg="502 > ESMTP command error",cmd: DATA > Oct 22 13:56:37 courieresmtpd: > error,relay=::ffff:193.168.140.69,from=<>,to=<[EMAIL PROTECTED]>: 550 User > unknown. > Oct 22 13:56:37 courieresmtpd: error,relay=::ffff:193.168.140.69,msg="502 > ESMTP command error",cmd: DATA > Oct 22 13:56:38 courieresmtpd: started,ip=[::ffff:68.162.95.62] > Oct 22 13:56:38 courieresmtpd: started,ip=[::ffff:207.86.183.2] > > After a full restart, courier accepts the first two or three dozen > connections within a few seconds, then stops accepting connections > altogether. The logs of other servers trying to connect to this one > say > > status=deferred (delivery temporarily suspended: connect to [my courier]: > Connection refused) > > So something somewhere gets saturated and simply stops working. This > situation persists forever unless courier is restarted, so the effect > is a full 100% denial of service to legitimate users. Increasing the > number of daemons in authlib/authdaemonrc (tried 5, 10 and 20) doesn't > change courier's behaviour. bofh says 'opt BOFHSUPPRESSBACKSCATTER=none'. > > As things are, I don't even know where to start looking for the cause, > let alone what to look for. Any ideas? > > Z > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > courier-users mailing list > [email protected] > Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
