We are secondary mx for a specific domain that has been hammered since friday night. We've accumulated literally thousands of email messages in our queue while the primary mx at the customer site is out of service yet again. In looking at the queue it appears that it's one heck of a dictionary based slam. Interesting thing about this is that it is distributed.. entire dictionary destination addresses such as bene*@domain.com come from one host (apparently with a trojan on it or otherwise) while benf*@domain.com come from yet a different host.. and so on down the alphabet all the while constantly changing source hosts.. Now being as we are a secondary mx I'm dropping their record out of our email system as I write this, however, I am curious if other have gone through or are currently going through something of this magnitude (12K spam/dictionary msgs per hour destined to one domain and that's just what is getting past the blacklist checks). Normally I see my spam block daemon at around 10 - 15 concurrent requests.. right now it's tearing along at around 160 - 180 concurrent bad connections.
And of course a few suggestions to mitigate this would be appreciated.. I currently employ multiple blacklists such as spamcop.net, abuseat.org, spews level 1 and 2, and spamhaus, plus my own blocklists for china and korea to check on incoming email source addresses.
You want to keep a list of valid accounts on the secondary so you can refuse
mail for non-existing accounts on the secondary too.
If you don't care about yourself -- relize that if, say, all of these mails
have a return address forged from the same domain, you will be DOSing THAT
site with the bounce messages. This is enough for some people to block mail
from you.
Happened to me a few times, which is funny for a 1-man company with very
few legit user-ids - >100K requests per day for nonexistent users. I
used ipfw to limit each sender to 1 simultaneous conns, turned on sendmail's
delay on bad users after 1 and edited the sendmail source to wait 10 sec
before responding rather than 1. That seems to have discouraged them some.
As has been mentioned, the key is either not to have/be a secondary mx or
to make it smart enough to know who's valid, to avoid DoSing the forged
senders.
Impossible as the customer does not wish to give us a list.
However, I have thought of that and created some perl foo to go through.. identify the queued junk and remove it completely from our queue .. thus no bounce and no delivery.
Christopher X. Candreva wrote:
Impossible as the customer does not wish to give us a list.
You want to keep a list of valid accounts on the secondary so you can
refuse mail for non-existing accounts on the secondary too.
anyway, as they say, that does not scale
randy
I completely agree, indeed it does not.. which is why we have now dropped doing secondary mx for this domain.
Anyway.. thanks to all who responded on and off list.. gave me a few good ideas to tinker with..
Probably the most notable thing from this is the technical level with which spammers are now employing such a distributed network of spamming zombie type systems in a very directed manner.. and I always pictured them as drooling slobs that stare at blinking lights..
Randy Bush wrote:
does anyone have some pointers to a good (possibly radius+sendmail)
based approach for checking this?
i'd like to have my backup mx host reject mail for non-existant
users/aliases as long as the primary is up, but if it's down, it should
accept them and queue, plus possibly cache misses for a period of time (24h?)
- jared
does anyone have some pointers to a good (possibly radius+sendmail)
based approach for checking this?
I load rules into the access.db database. lines like this:
Not RADIUS, but Sendmail can do arbitrary LDAP lookups for user-checks. See the README for the details.
(and LDAP can itself be distributed, so potentially can scale somewhat).
regards,