On Fri, Feb 08, 2008 at 12:33:47PM +0100, Peter N. M. Hansteen wrote: > Raimo Niskanen <[EMAIL PROTECTED]> writes: > > > Apparently we (our mail server) got targeted by a zombie network > > since suddenly there were some 30000 hosts on spamd's whitelist, > > continously some 600 connections to spamd, and only mails to > > unknown users coming in. The network connection was flooded, > > the web server sluggish, downloads creeped, basically > > nothing worked. > > To me this sounds very much like when we got hit by serious amounts of > backscatter. That is, the messages we kept seeing was bounces for > spam messages intended for non-existent users elsewhere, so the server > at the other end was likely a real one, only with deficient spam > countermeasures. > > I think anyway you want to do some greytrapping, either the empirical > approach[1] or Bob Beck's Greyscanner script[2], depending on how much > you crave 'getting a feel for the data'. They keep trying, but they > really don't bother us much anymore, and the addresses I've collected > at [3] keep turning up in my spamd logs. >
I am doing greytrapping through spamd, and using Bob Beck's Greyscanner script, but it was not enough. I have not, however, activated the feature in the Greyscanner script to trap all hosts that send to unknown RCPT addresses, since I thought it was a too hard measure. Now I am trying to improve the Greyscanner. I noticed it did not trap hosts using an empty envelope sender, unless there were more than one entry from that host. I regarded it as a bug and fixed it. I hope an empty envelope sender really is suspicious or disallowed. > Anyway, this is not in any way cruel. This is not cute little furry > animals we're talking about, but humans, grownups who should know better. > The fact that they're bouncing spam back means that they were probably > about to deliver spam to their existing users too, and that is for the > most part avoidable. If a backscatter gets through to sendmail, and it is to an invalid user, what is the proper thing for sendmail to do? My sendmail most probably does the default, which I guess is to bounce the mail. > > [1] see my ramblings about the fun to be had with greytrapping starting at > http://bsdly.blogspot.com/2007/07/hey-spammer-heres-list-for-you.html > - also the subject of an upcoming BSD Magazine article > > [2] http://www.ualberta.ca/~beck/nycbug06/scripts/greyscanner.41 > > [3] http://www.bsdly.net/~peter/traplist.shtml > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
