To David, Matthew, Adrian, Phil, and Daniel, many thanks for the extremely helpful responses. I have implemented the suggestions that seemed to fit most closely, and the system ran without interruption all weekend, despite a couple more batches of backscatter from the joe-jobber.
Thanks again, - R On Thu, Sep 18, 2008 at 11:17 AM, Ryan Thompson <[EMAIL PROTECTED]> wrote: > Hi all, > > One of my email domains has recently been the (repeat) victim of a fairly > large-scale joe job. I am seeing thousands of back-scatter bounces for > addresses like [EMAIL PROTECTED], [EMAIL PROTECTED], etc. However, when this > attacker sends out one of their batches, it is enough to run my lightly > loaded 1GB server out of swap within 3-4 minutes. (At which point I need > remote hands to do a hard boot, because ssh, login, etc. have been killed by > the kernel). > > So, there are three problems: > > 1. Root problem -- the joe job -- Not much to be done about this. > > 2. Exim accepting bounces for nonexistent addresses--at the very least > would like to drop or auto-respond to anything for [EMAIL PROTECTED] > > 3. Exim memory performance -- I have set the following in exim.conf to > attempt to throttle the queue processing: > > queue_run_max = 5 > remote_max_parallel = 1 > queue_smtp_domains = 1 > > Unfortunately, these do not seem to have had an effect. > > As a stop-gap, I made a cron job that runs once a minute and stops exim if > the load average goes above 15, and then restarts it after the load drops. > It's not pretty, but it keeps the server alive. > > What is the best way to handle this? General or specific answers gratefully > accepted! > > Ryan > -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
