Zenon Panoussis writes:
For weeks on end now I am being subjected to what I could call a reverse spam DDoS attack for lack of better term. Some asshole is sending out zillions of messages to non-existent users at legitimate domains, using clearly non-existent sender addresses @myhosteddomain. It seems he is specifically targetting backup MXs and spam filtering services because the messages are first accepted for transport, then bounced. The bounces create a storm of connections to my MX, which in turn causes courier (0.55.1) to choke and stop receiving mail at all.
Some DNS or ident query is probably stalling, and it takes a while for the DNS query to time out. It's not refusing to receive mail any more, it's just taking a long time for various DNS queries to time out.
Begin by adding "-noidentlookup -nodnslookup" to TCPDOPTS in the esmtpd config file. Then, publish an SPF record for your domain. Finally, invest some time in meticulously compiling a list of most frequent backscatter source IPs, and blacklisting them.
With a published SPF record, there is no valid excuse for backscatter, so I feel one is perfectly justified in blacklisting all sources of backscatter bounce bombs. After nearly a year, I have over two thousand individual IP address blacklisted. Not surprisingly, backscatter sources also happen to be brisk spam sources, as well.
pgpXvk0pjKG2e.pgp
Description: PGP signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
