Apparently we (our mail server) got targeted by a zombie network since suddenly there were some 30000 hosts on spamd's whitelist, continously some 600 connections to spamd, and only mails to unknown users coming in. The network connection was flooded, the web server sluggish, downloads creeped, basically nothing worked.
Can spamd do anything about zombie hosts? They behave like normal MTAs so they will pass spamd's behavioural tests, right? Now I analyze the greylist, do some heuristics on the sender address (among other things) and trap the bad hosts. The trapped hosts are then copied to a pf table to be blocked in the firewall. Tarpitting them through spamd is simply too much work for the mail server, but blocking works fine. Here come the questions: * Does anyone know of a good strategy against zombie network spam attacks? * To make the greylist heuristics validate recepients and blacklist hosts that send to invalid recepients would blacklist valid MTAs that send bounces of mails with fake sender addresses to me, right? And that would be too cruel, or? Because it would certainly decrease the spam amount. * To make the greylist herustics validate the hosts by reverse DNS PTR lookup and then forward A lookup is apparetly a debatable issue according to the current thread "running mail server at home". But if it is (fairly) common practice it would be a simple thing to do, and certainly decrease spam volume. But would it be to narrow? -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
