On Fri, Feb 08, 2008 at 11:20:31AM -0500, Calomel wrote:
> Raimo,
>
> Can you use the spamd.alloweddomains to whitelist email addresses and
> domains you accept mail for? Any email sent to your mail server that is not
> on the list will only goto spamd and never get the chance to be
> greylisted/whitelisted. Then you could write a simple script to look
> through the spamd logs of BLACK entries.
>
Well, that was already done. All incoming backscatter was to a valid
domain.
> cat /var/log/daemon | grep spamd | grep BLACK | awk '{print $7}' | sort | uniq
>
The problem seemed to be that spamd overloaded the network connection.
> ...and add the offending ips to a block table with a cron job running a few
> times a day. This page might give you some more ideas:
>
> Spamd tarpit/greylisting anti-spam "how to" (spamdb)
> http://calomel.org/spamd_config.html
>
I will have a look at it. Thank you for the ideas.
> --
> Calomel @ http://calomel.org
> Open Source Research and Reference
>
>
> On Fri, Feb 08, 2008 at 11:07:15AM +0100, Raimo Niskanen wrote:
> >Apparently we (our mail server) got targeted by a zombie network
> >since suddenly there were some 30000 hosts on spamd's whitelist,
> >continously some 600 connections to spamd, and only mails to
> >unknown users coming in. The network connection was flooded,
> >the web server sluggish, downloads creeped, basically
> >nothing worked.
> >
> >Can spamd do anything about zombie hosts? They behave like
> >normal MTAs so they will pass spamd's behavioural tests, right?
> >
> >Now I analyze the greylist, do some heuristics on the
> >sender address (among other things) and trap the bad hosts.
> >The trapped hosts are then copied to a pf table to be blocked
> >in the firewall. Tarpitting them through spamd is simply
> >too much work for the mail server, but blocking works fine.
> >
> >Here come the questions:
> >
> >* Does anyone know of a good strategy against zombie network
> >spam attacks?
> >
> >* To make the greylist heuristics validate recepients and
> >blacklist hosts that send to invalid recepients would
> >blacklist valid MTAs that send bounces of mails with
> >fake sender addresses to me, right? And that would be
> >too cruel, or? Because it would certainly decrease
> >the spam amount.
> >
> >* To make the greylist herustics validate the hosts
> >by reverse DNS PTR lookup and then forward A lookup
> >is apparetly a debatable issue according to the
> >current thread "running mail server at home".
> >But if it is (fairly) common practice it would
> >be a simple thing to do, and certainly decrease
> >spam volume. But would it be to narrow?
> >
> >--
> >
> >/ Raimo Niskanen, Erlang/OTP, Ericsson AB
--
/ Raimo Niskanen, Erlang/OTP, Ericsson AB
