On Mon, Feb 11, 2008 at 11:33:47AM -0500, Calomel wrote:
> On Mon, Feb 11, 2008 at 11:17:35AM +0100, Raimo Niskanen wrote:
> >On Fri, Feb 08, 2008 at 11:20:31AM -0500, Calomel wrote:
> >> Raimo,
> >>
> >> Can you use the spamd.alloweddomains to whitelist email addresses and
> >> domains you accept mail for? Any email sent to your mail server that is not
> >> on the list will only goto spamd and never get the chance to be
> >> greylisted/whitelisted. Then you could write a simple script to look
> >> through the spamd logs of BLACK entries.
> >>
> >
> >Well, that was already done. All incoming backscatter was to a valid
> >domain.
>
> If you can compile a list of valid email address this might help. Instead
> of @example.com you could list [EMAIL PROTECTED], [EMAIL PROTECTED] Any server
> sending to an invalid address would be blacklisted and a script could add
> those ips to a pf block table.
>
I have now improved the greyscanner script to look up hosts that
send a DSN (sender is empty) and check that they resolves through
DNS both back and forth again to the right IP address.
It is just at little improvement, but catches a few more hosts.
> >
> >> cat /var/log/daemon | grep spamd | grep BLACK | awk '{print $7}' | sort |
> >> uniq
> >>
> >
> >The problem seemed to be that spamd overloaded the network connection.
>
> If spamd is sending to many packets back try increasing the stutter time
> "-S90" and the stutter speed "-s5". At 600 connections total and 600
> packets per 5 seconds the network would need to handle 120 packets per
> second each direction; around 180 kilobytes in each direction. This might
> still need be too much bandwidth, but you could increase the values as
> needed or decrease the amount of connections spamd will accept with "-c".
> maxcon may not exceed kern.maxfiles - 200, and defaults to 800.
>
I will certainly try this. I guess -S90 will not do much since most of
the conversion tail (after stutter) will go in one packet anyway, but
-s2 should halve the packet load, and -s5 fiftve(? i.e 1/5). -c 400
should also decrease the load, but I have a firewall rule for that
now that should do the same but more lightweight since the
TCP stack is not involved.
> >
> >> ...and add the offending ips to a block table with a cron job running a few
> >> times a day. This page might give you some more ideas:
> >>
> >> Spamd tarpit/greylisting anti-spam "how to" (spamdb)
> >> http://calomel.org/spamd_config.html
> >
> >I will have a look at it. Thank you for the ideas.
> >
> >
> >> --
> >> Calomel @ http://calomel.org
> >> Open Source Research and Reference
> >>
> >>
> >> On Fri, Feb 08, 2008 at 11:07:15AM +0100, Raimo Niskanen wrote:
> >> >Apparently we (our mail server) got targeted by a zombie network
> >> >since suddenly there were some 30000 hosts on spamd's whitelist,
> >> >continously some 600 connections to spamd, and only mails to
> >> >unknown users coming in. The network connection was flooded,
> >> >the web server sluggish, downloads creeped, basically
> >> >nothing worked.
> >> >
> >> >Can spamd do anything about zombie hosts? They behave like
> >> >normal MTAs so they will pass spamd's behavioural tests, right?
> >> >
> >> >Now I analyze the greylist, do some heuristics on the
> >> >sender address (among other things) and trap the bad hosts.
> >> >The trapped hosts are then copied to a pf table to be blocked
> >> >in the firewall. Tarpitting them through spamd is simply
> >> >too much work for the mail server, but blocking works fine.
> >> >
> >> >Here come the questions:
> >> >
> >> >* Does anyone know of a good strategy against zombie network
> >> >spam attacks?
> >> >
> >> >* To make the greylist heuristics validate recepients and
> >> >blacklist hosts that send to invalid recepients would
> >> >blacklist valid MTAs that send bounces of mails with
> >> >fake sender addresses to me, right? And that would be
> >> >too cruel, or? Because it would certainly decrease
> >> >the spam amount.
> >> >
> >> >* To make the greylist herustics validate the hosts
> >> >by reverse DNS PTR lookup and then forward A lookup
> >> >is apparetly a debatable issue according to the
> >> >current thread "running mail server at home".
> >> >But if it is (fairly) common practice it would
> >> >be a simple thing to do, and certainly decrease
> >> >spam volume. But would it be to narrow?
> >> >
> >> >--
> >> >
> >> >/ Raimo Niskanen, Erlang/OTP, Ericsson AB
> >
> >--
> >
> >/ Raimo Niskanen, Erlang/OTP, Ericsson AB
--
/ Raimo Niskanen, Erlang/OTP, Ericsson AB
