On Thursday 22 July 2004 01:51, Bopolissimus X Platypus wrote: > We're suddenly getting HUGE numbers of unknown user in local recipient > table incoming email. There's so much of it, from all different IPs, that > local, legitimate users are having trouble sending email out since > postfix is trying to process the incoming unknown user email and so > email clients trying to send mail (outlook, eudora, etc) are timing out. > > is anyone seeing anything like this on their servers? how do i mitigate?
ok, Victor Duchovni on the postfix mailing list said to set smtpd_error_sleep_time to 0s (default is 1s for tar-pitting, but we're up against what looks like a DDoS, so tar-pitting hurts us more than it hurts them). the system seems to be stabilizing because of this. does anyone have any more ideas though to handle this? i'm starting to look down on the program that adds iptables rules. right now we're at 6800 different IPs, and adding 6800 DROP rules will probably slow us down too much, and if they keep recruiting attackers, the number of rules can only increase. will putting the IPs in access.db work? i'm not so sure about this since i don't want to blacklist IPs indefinitely (some might be legitimate SMTP servers that just happened to handle email that was to a mistyped user), so i'll want to try to detect which IPs are good (by seeing if they also send to *good* email addresses, the attackers are sending ONLY to bad email address) and remove them from the blacklist until the next time they send another bad address. but access/access.db isn't convenient for this (no easy way to remove a rule, have to rewrite the access.db file and then run postmap), while iptables is (just add a rule to block, then delete the rule when it's time to do so). also, kicking postfix (service postfix reload) everytime i adjust the access rules (say every minute or every 5 minutes) looks like it might be expensive. any suggestions/thoughts will be most welcome. thanks. tiger -- Gerald Timothy Quimpo [EMAIL PROTECTED] [EMAIL PROTECTED] http://bopolissimus.sni.ph Public Key: "gpg --keyserver pgp.mit.edu --recv-keys 672F4C78" malapit na ang september The first half of our lives is ruined by our parents, and the second half by our children. Clarence Darrow -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
