Re: [swinog] smtp attacks
Hi The problem was made worse by the fact that we had left the response code for a reject due to unknown recipient as 4xx, so naturally one of these emails resulted in many connection attempts if they came from a real mail server (as opposed to a zombie). At one point we were up to 500 connections per minute. The solution (in our case) was to set the response code to 5xx and accept the risk that mail will be rejected if the backend LDAP containing the mailbox names goes offline. What's really funny is when you set the MX of the domain to 127.0.0.1, so the mails bounce back to the postmaster of the offending server(s). Daniel ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] smtp attacks
On Mon, 2006-11-27 at 17:58 +0100, Rene Luria wrote: It is due to bounces coming from everywhere. Spamers using fake email addresses from domains for which we are the MX. The amount of such emails (which we almost all reject, user unknown, etc.. because of the fake email addresses) is enormous compared to normal traffic (like 10 times what we have in general). I can confirm such behaviour, thus here it's not that heavy like the end of last year. Any catch-all is horrible in such cases. In my opinion, this is tactically used to 'find' valid email addresses for later use. But no proof of that. On Mon, 2006-11-27 at 18:45 +0100, Daniel Lorch wrote: What's really funny is when you set the MX of the domain to 127.0.0.1, so the mails bounce back to the postmaster of the offending server(s). Sure, you don't want to receive _any_ email? You will get rid of a lot of customers like that, Daniel. You rather limit the connection per host simultanously and - if possible - add more mx servers. Graylisting possibly helps as well. Cheerz - Dan ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] smtp attacks
On Monday 27 November 2006 20:43, Daniel Kamm wrote: Graylisting possibly helps as well. Graylsiting screws up the system E-Mail and doesn't help if the other end is a regular mailserver (cracked useraccount...). I think the only long-term reliable means to the solution of this problem remains the spameRassassin[tm] *r*. At least spamers should be enchained and be forced to eat up a printed copy of every single of their emails. Repeaters have their fontsize doubled. Michi PS: Why do we still have publicly-knwon spammers walking arround freely regardless to the fact that they render email for all of us unusable and cause such tremedous expenses? Our politicians rather implement another revision of the URG... yes that eases my life a lot. (Any irony found in this text may be kept by the reader.) ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] smtp attacks
Yes, same here. We had to blacklist several domains to keep our inbound clean. Matthias Hertzog _ mhs @ internet AG Zürcherstrasse 204, CH - 9014 St. Gallen Phone +41 71 274 93 93, Fax +41 71 274 93 94 http://www.mhs.ch _ - Original Message - From: Rene Luria [EMAIL PROTECTED] To: swinog@swinog.ch; [EMAIL PROTECTED] Sent: Monday, November 27, 2006 5:58 PM Subject: [swinog] smtp attacks Hi folks, We are currently experiencing a heavy load on all our smtp inbound servers since saturday. It is due to bounces coming from everywhere. Spamers using fake email addresses from domains for which we are the MX. The amount of such emails (which we almost all reject, user unknown, etc.. because of the fake email addresses) is enormous compared to normal traffic (like 10 times what we have in general). Do any of you experience the same problem ? -- Rene Luria ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] smtp attacks
Uhm, my private detected spam count is still average: 150 spam/24h which means 87% of total mails received. Also nothing special here. This is not spam. To unsubscribe to this mail please reply with the words shut up in the subject, directly to me :-) Daniele Matthias Hertzog wrote: Yes, same here. We had to blacklist several domains to keep our inbound clean. Matthias Hertzog _ mhs @ internet AG Zürcherstrasse 204, CH - 9014 St. Gallen Phone +41 71 274 93 93, Fax +41 71 274 93 94 http://www.mhs.ch _ - Original Message - From: Rene Luria [EMAIL PROTECTED] To: swinog@swinog.ch; [EMAIL PROTECTED] Sent: Monday, November 27, 2006 5:58 PM Subject: [swinog] smtp attacks Hi folks, We are currently experiencing a heavy load on all our smtp inbound servers since saturday. It is due to bounces coming from everywhere. Spamers using fake email addresses from domains for which we are the MX. The amount of such emails (which we almost all reject, user unknown, etc.. because of the fake email addresses) is enormous compared to normal traffic (like 10 times what we have in general). Do any of you experience the same problem ? -- Rene Luria ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
