On Fri, 8 Feb 2008 11:07:15 +0100, Raimo Niskanen wrote:
>Apparently we (our mail server) got targeted by a zombie network
>since suddenly there were some 30000 hosts on spamd's whitelist,
>continously some 600 connections to spamd, and only mails to
>unknown users coming in. The network connection was flooded,
>the web server sluggish, downloads creeped, basically
>nothing worked.
>
>Can spamd do anything about zombie hosts? They behave like
>normal MTAs so they will pass spamd's behavioural tests, right?
>
>Now I analyze the greylist, do some heuristics on the
>sender address (among other things) and trap the bad hosts.
>The trapped hosts are then copied to a pf table to be blocked
>in the firewall. Tarpitting them through spamd is simply
>too much work for the mail server, but blocking works fine.
>
>Here come the questions:
>
>* Does anyone know of a good strategy against zombie network
>spam attacks?
>
>* To make the greylist heuristics validate recepients and
>blacklist hosts that send to invalid recepients would
>blacklist valid MTAs that send bounces of mails with
>fake sender addresses to me, right? And that would be
>too cruel, or? Because it would certainly decrease
>the spam amount.
>
>* To make the greylist herustics validate the hosts
>by reverse DNS PTR lookup and then forward A lookup
>is apparetly a debatable issue according to the
>current thread "running mail server at home".
>But if it is (fairly) common practice it would
>be a simple thing to do, and certainly decrease
>spam volume. But would it be to narrow?
Every so often we see a flood of connections trying to deliver bounce
messages to nonexisting mailboxes here where there are two domains
sharing a postfix/OpenBSD box running spamd in greylisting/trapping
mode.
Mostly:
The sender domains are real and the mail is from valid MTAs for those
domains.
The admins of those senders are incompetent wankers who run MTAs that
accept mail for any address and later bounce it to the purported
sender.
but not 100%.
My solution was to run a script from cron every four minutes that looks
like:
=========================
#!/bin/sh
spamdb|grep GREY|cut -d "|" -f2|tr -d "<"|tr -d ">"|tr "|" " "
>>/var/db/slice
s
while read villain; do
/usr/local/sbin/postmap -q $targ /etc/postfix/vmailbox
>/dev/null
if [ $? -ne 0 ] ; then
spamdb -ta $villain
fi
done < /var/db/slices
rm /var/db/slices
==========================
Caveat: This script will tarpit otherwise innocent senders who have
clients who use a mailbox name with a tyop in it because it traps ALL
messages addressed to invalid mailboxes. Using another grep to select
on a match of <> will eliminate all but bounces to invalid addresses
from the null sender. They would not have reached a mailbox anyway.
I figure that maybe, just maybe, some admins will see the log message
repeating during all the trapitting and get a clue. It is easier than
sending an email complaining about their cluelessness.
As to load: The box is a Celeron 1.3GHz with 256 MB RAM. It handles
lots of mail with reasonably large PDF and graphics attached and runs a
POP3 daemon as well that is polled regularly by about 70 "always on"
accounts. I cannot see any degradation of performance when these storms
are peaking. spamd rocks!
>
Rod/
(CC not needed, thanx.)
Rod/
>From the land "down under": Australia.
Do we look <umop apisdn> from up over?
