On Sun, Jun 16, 2013 at 07:55:28AM -0500, Stan Hoeppner wrote: > > Looks more like a botnet, so the connections may not in fact recur. > > Quite right, it is a botnet attack. And without further logging, I'd > guess this is a DOS attack on TCP 25. The clients are probably not even > attempting delivery, but simply tying up TCP sockets.
It could be a dictionary attack, or receiver-side DNS latency, or greet pauses in the SMTP server, or delays due to sender or recipient verification probes, or insufficient smtpd(8) concurrency to deal with reasonable peak loads. > This is a scenario purpose built for postscreen, is it not? In lieu of > postscreen, and in addition to Viktor's other suggestions, two simple > restrictions may have greatly reduced the impact of this attack: Yes, postscreen. > 1. reject_unknown_reverse_client_hostname > 2. http://www.hardwarefreak.com/fqrdns.pcre > > fqrdns.pcre is missing some of the rDNS patterns of those IPs, but > contains many of them. I'll be adding the others in the near future. Carefully selected augmentation of the PBL may well be effective. I also hope Stan or someone else reputable can from time to time nominate particurly bot-active CIDR blocks consisting exclusively of consumer-grade DHCP addresses for the PBL (send an email to a contact at SpamHaus). -- Viktor.
