I wonder; would a firewall's "session limits" DDoS feature protect against something like this?
Anybody? Just a thought. Dave Scott MacLean wrote: > > I have one domain on my server who for a while, had a "nobody" alias in > place, so it would "accept" any email sent to it, regardless of the > address. Somehow it has gotten on public "spam lists" - someone generated a > ton of bogus addresses "@domain.com" (not the real domain, obviously) and > it's obviously being sent around or sold as part of a spam email list. As a > result, he was getting almost 10,000 spams a day, most of which were being > caught by Declude. However, several times a day we would have idiot > spammers who were connecting and attempting to send 20-30 messages a > second, which was totally crippling my server. > > I had him remove the "nobody" alias, so at least there's no longer the load > on the server of Declude trying to spam check and virus check every piece > of spam these idiots were sending. However, at least once a day I still > have some idiot spammer connecting and crippling my server for half an hour > or so, attempting to send 20-30 messages a second. > > The IP addresses are always spoofed, so I can't block it that way. They tie > up all available inbound SMTP connections, so the SMTP server appears dead > to my REAL clients, and any valid mail they should be receiving doesn't get > through. As well, it puts both CPUs in the server up to 100% rejecting the > mail, slowing the server down for everyone else. > > SMTP logs are filled with thousands of entries like this: > > 20030227 091017 127.0.0.1 SMTPD (003A0640) [217.82.173.37] RCPT TO: > <[EMAIL PROTECTED]> > 20030227 091017 127.0.0.1 SMTPD (003A0640) [217.82.173.37] ERR > domain.com invalid user <[EMAIL PROTECTED] > 20030227 091017 127.0.0.1 SMTPD (000D0584) [217.82.59.117] RCPT TO: > <[EMAIL PROTECTED]> > 20030227 091017 127.0.0.1 SMTPD (000D0584) [217.82.59.117] ERR > domain.com invalid user <[EMAIL PROTECTED] > 20030227 091017 127.0.0.1 SMTPD (00280604) [217.82.59.117] RCPT TO: > <[EMAIL PROTECTED]> > 20030227 091017 127.0.0.1 SMTPD (00280604) [217.82.59.117] ERR > domain.com invalid user <[EMAIL PROTECTED] > 20030227 091017 127.0.0.1 SMTPD (002D055A) [217.82.173.37] RCPT TO: > <[EMAIL PROTECTED]> > 20030227 091017 127.0.0.1 SMTPD (002D055A) [217.82.173.37] ERR > domain.com invalid user <[EMAIL PROTECTED] > 20030227 091017 127.0.0.1 SMTPD (01650418) [217.81.250.86] RCPT TO: > <[EMAIL PROTECTED]> > 20030227 091017 127.0.0.1 SMTPD (01650418) [217.81.250.86] ERR > domain.com invalid user <[EMAIL PROTECTED] > > Any ideas what I can do about this? Is there anything I can do? > _______________________ > Scott MacLean > [EMAIL PROTECTED] > ICQ: 9184011 > http://www.nerosoft.com > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. -- David M. Delbridge President & CEO Circa 3000 ColdFusion Hosting http://www.circa3k.com 775-832-2445 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.