On Fri, 8 Feb 2008 11:07:15 +0100, Raimo Niskanen wrote: >Apparently we (our mail server) got targeted by a zombie network >since suddenly there were some 30000 hosts on spamd's whitelist, >continously some 600 connections to spamd, and only mails to >unknown users coming in. The network connection was flooded, >the web server sluggish, downloads creeped, basically >nothing worked. > >Can spamd do anything about zombie hosts? They behave like >normal MTAs so they will pass spamd's behavioural tests, right? > >Now I analyze the greylist, do some heuristics on the >sender address (among other things) and trap the bad hosts. >The trapped hosts are then copied to a pf table to be blocked >in the firewall. Tarpitting them through spamd is simply >too much work for the mail server, but blocking works fine. > >Here come the questions: > >* Does anyone know of a good strategy against zombie network >spam attacks? > >* To make the greylist heuristics validate recepients and >blacklist hosts that send to invalid recepients would >blacklist valid MTAs that send bounces of mails with >fake sender addresses to me, right? And that would be >too cruel, or? Because it would certainly decrease >the spam amount. > >* To make the greylist herustics validate the hosts >by reverse DNS PTR lookup and then forward A lookup >is apparetly a debatable issue according to the >current thread "running mail server at home". >But if it is (fairly) common practice it would >be a simple thing to do, and certainly decrease >spam volume. But would it be to narrow?
Every so often we see a flood of connections trying to deliver bounce messages to nonexisting mailboxes here where there are two domains sharing a postfix/OpenBSD box running spamd in greylisting/trapping mode. Mostly: The sender domains are real and the mail is from valid MTAs for those domains. The admins of those senders are incompetent wankers who run MTAs that accept mail for any address and later bounce it to the purported sender. but not 100%. My solution was to run a script from cron every four minutes that looks like: ========================= #!/bin/sh spamdb|grep GREY|cut -d "|" -f2|tr -d "<"|tr -d ">"|tr "|" " " >>/var/db/slice s while read villain; do /usr/local/sbin/postmap -q $targ /etc/postfix/vmailbox >/dev/null if [ $? -ne 0 ] ; then spamdb -ta $villain fi done < /var/db/slices rm /var/db/slices ========================== Caveat: This script will tarpit otherwise innocent senders who have clients who use a mailbox name with a tyop in it because it traps ALL messages addressed to invalid mailboxes. Using another grep to select on a match of <> will eliminate all but bounces to invalid addresses from the null sender. They would not have reached a mailbox anyway. I figure that maybe, just maybe, some admins will see the log message repeating during all the trapitting and get a clue. It is easier than sending an email complaining about their cluelessness. As to load: The box is a Celeron 1.3GHz with 256 MB RAM. It handles lots of mail with reasonably large PDF and graphics attached and runs a POP3 daemon as well that is polled regularly by about 70 "always on" accounts. I cannot see any degradation of performance when these storms are peaking. spamd rocks! > Rod/ (CC not needed, thanx.) Rod/ >From the land "down under": Australia. Do we look <umop apisdn> from up over?