Top posting, for the archives...
Problem probably solved. There has been a new spam backscatter
flood, and this time it had no impact on my server's network
connectivity. Spamd did just fine. It now runs with the
flags -B 300 -c 400 -S 30 -s 3 (among others) and they
brought down the network load to a totally acceptable level.
Thank you all that contributed to the solution!
PS: It appears the spammers have got new software for
generating names. My mailserver logs show lots of
fake names I have not seen before in a new style a'la:
Abdul.Hutchison
AbdulballastBender
AbdulballastJoyner
AbdulboxwoodRowland
AbdulboxwoodStein
AbdulcivilianGalloway
AbdulconvairBenjamin
AbdulcoordinateGalloway
AbdulcoordinateHester
AbdulcummingsMercer
AbduldebtorStein
AbduldrownMelendez
AbduleggshellRowland
AbdulforcefulSykes
AbdulgastronomeSykes
AbdulgenreMercer
AbdulharvestMelendez
AbduljudiciaryDillon
AbduljudiciaryMelendez
AbduljugoslaviaHester
AbdulmattockHester
AbdulphilosophySykes
AbdulpulsarOsborn
AbdulrepertoireStout
AbdulshoreMercer
AbdulshorePotts
AbdulsophomoricStein
AbdultraffickingFranco
AbdulutrechtSykes
AbdulvacationlandHester
AbdulvaliantAguirre
On Wed, Feb 13, 2008 at 11:32:28AM +0100, Raimo Niskanen wrote:
> On Mon, Feb 11, 2008 at 11:33:47AM -0500, Calomel wrote:
> > On Mon, Feb 11, 2008 at 11:17:35AM +0100, Raimo Niskanen wrote:
> > >On Fri, Feb 08, 2008 at 11:20:31AM -0500, Calomel wrote:
> > >> Raimo,
> > >>
> > >> Can you use the spamd.alloweddomains to whitelist email addresses and
> > >> domains you accept mail for? Any email sent to your mail server that is
> > >> not
> > >> on the list will only goto spamd and never get the chance to be
> > >> greylisted/whitelisted. Then you could write a simple script to look
> > >> through the spamd logs of BLACK entries.
> > >>
> > >
> > >Well, that was already done. All incoming backscatter was to a valid
> > >domain.
> >
> > If you can compile a list of valid email address this might help. Instead
> > of @example.com you could list [EMAIL PROTECTED], [EMAIL PROTECTED] Any
> > server
> > sending to an invalid address would be blacklisted and a script could add
> > those ips to a pf block table.
> >
>
> I have now improved the greyscanner script to look up hosts that
> send a DSN (sender is empty) and check that they resolves through
> DNS both back and forth again to the right IP address.
>
> It is just at little improvement, but catches a few more hosts.
>
> > >
> > >> cat /var/log/daemon | grep spamd | grep BLACK | awk '{print $7}' | sort
> > >> | uniq
> > >>
> > >
> > >The problem seemed to be that spamd overloaded the network connection.
> >
> > If spamd is sending to many packets back try increasing the stutter time
> > "-S90" and the stutter speed "-s5". At 600 connections total and 600
> > packets per 5 seconds the network would need to handle 120 packets per
> > second each direction; around 180 kilobytes in each direction. This might
> > still need be too much bandwidth, but you could increase the values as
> > needed or decrease the amount of connections spamd will accept with "-c".
> > maxcon may not exceed kern.maxfiles - 200, and defaults to 800.
> >
>
> I will certainly try this. I guess -S90 will not do much since most of
> the conversion tail (after stutter) will go in one packet anyway, but
> -s2 should halve the packet load, and -s5 fiftve(? i.e 1/5). -c 400
> should also decrease the load, but I have a firewall rule for that
> now that should do the same but more lightweight since the
> TCP stack is not involved.
>
> > >
> > >> ...and add the offending ips to a block table with a cron job running a
> > >> few
> > >> times a day. This page might give you some more ideas:
> > >>
> > >> Spamd tarpit/greylisting anti-spam "how to" (spamdb)
> > >> http://calomel.org/spamd_config.html
> > >
> > >I will have a look at it. Thank you for the ideas.
> > >
> > >
> > >> --
> > >> Calomel @ http://calomel.org
> > >> Open Source Research and Reference
> > >>
> > >>
> > >> On Fri, Feb 08, 2008 at 11:07:15AM +0100, Raimo Niskanen wrote:
> > >> >Apparently we (our mail server) got targeted by a zombie network
> > >> >since suddenly there were some 30000 hosts on spamd's whitelist,
> > >> >continously some 600 connections to spamd, and only mails to
> > >> >unknown users coming in. The network connection was flooded,
> > >> >the web server sluggish, downloads creeped, basically
> > >> >nothing worked.
> > >> >
> > >> >Can spamd do anything about zombie hosts? They behave like
> > >> >normal MTAs so they will pass spamd's behavioural tests, right?
> > >> >
> > >> >Now I analyze the greylist, do some heuristics on the
> > >> >sender address (among other things) and trap the bad hosts.
> > >> >The trapped hosts are then copied to a pf table to be blocked
> > >> >in the firewall. Tarpitting them through spamd is simply
> > >> >too much work for the mail server, but blocking works fine.
> > >> >
> > >> >Here come the questions:
> > >> >
> > >> >* Does anyone know of a good strategy against zombie network
> > >> >spam attacks?
> > >> >
> > >> >* To make the greylist heuristics validate recepients and
> > >> >blacklist hosts that send to invalid recepients would
> > >> >blacklist valid MTAs that send bounces of mails with
> > >> >fake sender addresses to me, right? And that would be
> > >> >too cruel, or? Because it would certainly decrease
> > >> >the spam amount.
> > >> >
> > >> >* To make the greylist herustics validate the hosts
> > >> >by reverse DNS PTR lookup and then forward A lookup
> > >> >is apparetly a debatable issue according to the
> > >> >current thread "running mail server at home".
> > >> >But if it is (fairly) common practice it would
> > >> >be a simple thing to do, and certainly decrease
> > >> >spam volume. But would it be to narrow?
> > >> >
> > >> >--
> > >> >
> > >> >/ Raimo Niskanen, Erlang/OTP, Ericsson AB
> > >
> > >--
> > >
> > >/ Raimo Niskanen, Erlang/OTP, Ericsson AB
>
> --
>
> / Raimo Niskanen, Erlang/OTP, Ericsson AB
--
/ Raimo Niskanen, Erlang/OTP, Ericsson AB
