On Mon, Feb 11, 2008 at 11:17:35AM +0100, Raimo Niskanen wrote:
>On Fri, Feb 08, 2008 at 11:20:31AM -0500, Calomel wrote:
>> Raimo,
>>
>> Can you use the spamd.alloweddomains to whitelist email addresses and
>> domains you accept mail for? Any email sent to your mail server that is not
>> on the list will only goto spamd and never get the chance to be
>> greylisted/whitelisted. Then you could write a simple script to look
>> through the spamd logs of BLACK entries.
>>
>
>Well, that was already done. All incoming backscatter was to a valid
>domain.
If you can compile a list of valid email address this might help. Instead
of @example.com you could list [EMAIL PROTECTED], [EMAIL PROTECTED] Any server
sending to an invalid address would be blacklisted and a script could add
those ips to a pf block table.
>
>> cat /var/log/daemon | grep spamd | grep BLACK | awk '{print $7}' | sort |
>> uniq
>>
>
>The problem seemed to be that spamd overloaded the network connection.
If spamd is sending to many packets back try increasing the stutter time
"-S90" and the stutter speed "-s5". At 600 connections total and 600
packets per 5 seconds the network would need to handle 120 packets per
second each direction; around 180 kilobytes in each direction. This might
still need be too much bandwidth, but you could increase the values as
needed or decrease the amount of connections spamd will accept with "-c".
maxcon may not exceed kern.maxfiles - 200, and defaults to 800.
>
>> ...and add the offending ips to a block table with a cron job running a few
>> times a day. This page might give you some more ideas:
>>
>> Spamd tarpit/greylisting anti-spam "how to" (spamdb)
>> http://calomel.org/spamd_config.html
>
>I will have a look at it. Thank you for the ideas.
>
>
>> --
>> Calomel @ http://calomel.org
>> Open Source Research and Reference
>>
>>
>> On Fri, Feb 08, 2008 at 11:07:15AM +0100, Raimo Niskanen wrote:
>> >Apparently we (our mail server) got targeted by a zombie network
>> >since suddenly there were some 30000 hosts on spamd's whitelist,
>> >continously some 600 connections to spamd, and only mails to
>> >unknown users coming in. The network connection was flooded,
>> >the web server sluggish, downloads creeped, basically
>> >nothing worked.
>> >
>> >Can spamd do anything about zombie hosts? They behave like
>> >normal MTAs so they will pass spamd's behavioural tests, right?
>> >
>> >Now I analyze the greylist, do some heuristics on the
>> >sender address (among other things) and trap the bad hosts.
>> >The trapped hosts are then copied to a pf table to be blocked
>> >in the firewall. Tarpitting them through spamd is simply
>> >too much work for the mail server, but blocking works fine.
>> >
>> >Here come the questions:
>> >
>> >* Does anyone know of a good strategy against zombie network
>> >spam attacks?
>> >
>> >* To make the greylist heuristics validate recepients and
>> >blacklist hosts that send to invalid recepients would
>> >blacklist valid MTAs that send bounces of mails with
>> >fake sender addresses to me, right? And that would be
>> >too cruel, or? Because it would certainly decrease
>> >the spam amount.
>> >
>> >* To make the greylist herustics validate the hosts
>> >by reverse DNS PTR lookup and then forward A lookup
>> >is apparetly a debatable issue according to the
>> >current thread "running mail server at home".
>> >But if it is (fairly) common practice it would
>> >be a simple thing to do, and certainly decrease
>> >spam volume. But would it be to narrow?
>> >
>> >--
>> >
>> >/ Raimo Niskanen, Erlang/OTP, Ericsson AB
>
>--
>
>/ Raimo Niskanen, Erlang/OTP, Ericsson AB
