Re: DDOS, Dictionary Attack... not sure what it is...
Am 2008-01-08 10:12:28, schrieb Joseph Brennan: > I don't understand how refusing after MAIL could take 6 times as much > resources as accepting the message. By refusing, you don't receive > the message body and you don't have to output the message to a mailer. > That has to use less resources than accepting. I would be taking a > close look at what your server is doing during rejection. This just > seems very wrong to me. Can it be, that the RBL lookups are screwing up? I have installed bind9 (HP Vectra XA5, P1/200 with 384MByte) which is there for 7 domains (over 180 sudomains and arround 800 hosts) and as caching DNS but it seems, if I become spamed it become a bery heavy loaded... Normaly the load average is under 0.5 but if I become spamed over 10. Thanks, Greetings and nice Day Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSN LinuxMichi 0033/6/6192519367100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: DDOS, Dictionary Attack... not sure what it is...
Joseph Brennan wrote: Michelle Konzack <[EMAIL PROTECTED]> wrote: since the server rejects unknown recipients right away. Here too, but it eats nearly 100% of System- and CPU-Resources... It might be worth looking for a couple of addresses that get hit repeatedly and temporarily activating them I have tried this too and it reduce the load down to 15% but they are coming in realy fast I don't understand how refusing after MAIL could take 6 times as much resources as accepting the message. By refusing, you don't receive the message body and you don't have to output the message to a mailer. That has to use less resources than accepting. I would be taking a close look at what your server is doing during rejection. This just seems very wrong to me. Joseph Brennan Columbia University Information Technology Or he could talk with the folks at SpamCop about piping those emails straight to them for those phony addresses.
Re: DDOS, Dictionary Attack... not sure what it is...
Michelle Konzack <[EMAIL PROTECTED]> wrote: since the server rejects unknown recipients right away. Here too, but it eats nearly 100% of System- and CPU-Resources... It might be worth looking for a couple of addresses that get hit repeatedly and temporarily activating them I have tried this too and it reduce the load down to 15% but they are coming in realy fast I don't understand how refusing after MAIL could take 6 times as much resources as accepting the message. By refusing, you don't receive the message body and you don't have to output the message to a mailer. That has to use less resources than accepting. I would be taking a close look at what your server is doing during rejection. This just seems very wrong to me. Joseph Brennan Columbia University Information Technology
Re: DDOS, Dictionary Attack... not sure what it is...
Am 2008-01-02 10:14:51, schrieb Kelson: > Actually, it's still going on, but it doesn't have much of an impact > since the server rejects unknown recipients right away. Here too, but it eats nearly 100% of System- and CPU-Resources... > It might be worth looking for a couple of addresses that get hit > repeatedly and temporarily activating them, or even turning on a > catch-all for 20 seconds or so, to capture some of the messages and see > whether you're dealing with a botnet or backscatter. I have tried this too and it reduce the load down to 15% but they are coming in realy fast (faster then my server is which can handle without any problems 20-30 messages a second). So if I activate "catch-all" for 20 seconds (and I do not know, when they come in) I have immediatly several 100 or 1000 messages on the system... Thanks, Greetings and nice Day Michelle Konzack -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSN LinuxMichi 0033/6/6192519367100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: DDOS, Dictionary Attack... not sure what it is...
Mike Cisar wrote: Since about the 26th of Dec I've had one particular mailserver that has been dealing with a constant stream of crap... all emails to unknown users, all of the email addresses seem consistent (either 3 'syllables'... an uppercased 'syllable', a lowercased 'syllable' and another uppercased 'syllable'... or 2 uppercased 'syllables'). They don't seem to be coming from any consistent IP address (or region). Problem is of course that the mailserver's connections get tied up processing rejecting this crap (and of course it's chewing up my transfer allocation bit by tiny bit). There's one more piece of data needed before you decide on a course of action: what kind of email is being sent. Are you getting first-order spam, or are you getting bounce messages? If all the target addresses are in the same domain, it could be as simple as this: 1. Spammer picks a random domain name known to exist: yours. 2. Spammer generates a bunch of random addresses at that domain. 3. Spammer sends out junk to thousands of targets using these addresses. 4. Thousands of servers send you the bounces, the sender verification checks, etc. This happened a couple of weeks ago with one of my domain names. Similar pattern of addresses: FirstnameLastname@ FirstnameRandomwordLastname@ etc. Actually, it's still going on, but it doesn't have much of an impact since the server rejects unknown recipients right away. It might be worth looking for a couple of addresses that get hit repeatedly and temporarily activating them, or even turning on a catch-all for 20 seconds or so, to capture some of the messages and see whether you're dealing with a botnet or backscatter. -- Kelson Vibber SpeedGate Communications
Re: DDOS, Dictionary Attack... not sure what it is...
alex wrote: > why not use something like this that rejects ip blocks at the MTA level > > http://us.trendmicro.com/us/products/enterprise/network-reputation-services/index.html > > it blocks anything on the "DUL" list which is a list the isp's put out of > which ip's shouldn't be sending mail. > > the reject messages look like this > > Mail from 1.2.3.4 blocked using Trend Micro RBL+. Please see > http://www.mail-abuse.com/cgi-bin/lookup?ip_address=1.2.3.4 > > > because many of us consider the Trend Micro list (formerly MAPS...) unsafe. Their DUL does list static IPs, ... etc. but debating this is off topic. anyway, OP problem is how to reduce the costs of the zombie connections, not how to reject them. He already rejects them at MTA level.
Re: DDOS, Dictionary Attack... not sure what it is...
why not use something like this that rejects ip blocks at the MTA level http://us.trendmicro.com/us/products/enterprise/network-reputation-services/index.html it blocks anything on the "DUL" list which is a list the isp's put out of which ip's shouldn't be sending mail. the reject messages look like this Mail from 1.2.3.4 blocked using Trend Micro RBL+. Please see http://www.mail-abuse.com/cgi-bin/lookup?ip_address=1.2.3.4
Re: DDOS, Dictionary Attack... not sure what it is...
On 1 Jan 2008 [EMAIL PROTECTED] wrote: > maybe I misread the laBrea docs that talk about capturing unused > ip Could you show me configuration you use for labrea There are some patches you need to apply to use LaBrea this way. See http://sourceforge.net/tracker/?group_id=70896&atid=529395 Apply these patches as well as the bugfix patches I submitted. I jsut posted the URL for the script that launches it. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The question of whether people should be allowed to harm themselves is simple. They *must*. -- Charles Murray --- 144 days until the Mars Phoenix lander arrives at Mars
RE: DDOS, Dictionary Attack... not sure what it is...
On Tue, 1 Jan 2008, Robert - elists wrote: > > When I say "tarpit" I don't mean an MTA-native "slow the SMTP > > conversation down" model, I mean a genuine TCP tarpit that plays games > > with window sizes to trap the attacker - that's what LaBrea does. > > > > I don't think the MTA should be tasked with tarpitting. Tarpitting is > > a job for a dedicated tool. The most an MTA should do along these > > lines is slowing responses after X number of bad recipient addresses > > appear (assuming you don't simply terminate the session). > > > > But this doesn't really have much to do with SA... > > John and others... > > Ok, now I need clarification please.. > > So you are saying this external to the MTA tarpitting process will > not affect the server SMTP system and subsystems overall > functionality? In my case it will not, as I only tarpit traffic that is already blocked by firewall rules. The firewalling is almost exclusively for hosts that are rejected based on DNSBL checks but who keep trying anyway. The hosts being firewalled/tarpitted would be rejected by the MTA anyway were they to be let through. There is some load on the system from the kernel packet matching rules for the hosts that are on the tarpit list, but I think that's relatively minor compared to the load from processing even a partial SMTP conversation. Here is an automatic-firewall-and-tarpit script for sendmail: http://www.impsec.org/~jhardin/antispam/spammer-firewall -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The question of whether people should be allowed to harm themselves is simple. They *must*. -- Charles Murray --- 144 days until the Mars Phoenix lander arrives at Mars
Re: DDOS, Dictionary Attack... not sure what it is...
>> >> > However, labrea may be great software ... but it is certainly not >> > the software one wants to compete with a live machine for incoming >> > connections. >> >> The way I run it, the IP addresses being tarpitted are IP addresses >> that would be rejected anyway by zen et. al. DNSBL checks - they are >> repeat offenders that have already been firewalled out (thus the MTA >> never sees the traffic) and adding LaBrea simply adds a >> trap-the-attacker response to the SYN packet rather than just >> discarding the traffic. >> Hi John, maybe I misread the laBrea docs that talk about capturing unused ip Could you show me configuration you use for labrea Wolfgang Hamann
RE: DDOS, Dictionary Attack... not sure what it is...
> > When I say "tarpit" I don't mean an MTA-native "slow the SMTP > conversation down" model, I mean a genuine TCP tarpit that plays games > with window sizes to trap the attacker - that's what LaBrea does. > > I don't think the MTA should be tasked with tarpitting. Tarpitting is > a job for a dedicated tool. The most an MTA should do along these > lines is slowing responses after X number of bad recipient addresses > appear (assuming you don't simply terminate the session). > > But this doesn't really have much to do with SA... > > -- > John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ John and others... Ok, now I need clarification please.. So you are saying this external to the MTA tarpitting process will not affect the server SMTP system and subsystems overall functionality? - rh
Re: DDOS, Dictionary Attack... not sure what it is...
On 1 Jan 2008 [EMAIL PROTECTED] wrote: > However, labrea may be great software ... but it is certainly not > the software one wants to compete with a live machine for incoming > connections. The way I run it, the IP addresses being tarpitted are IP addresses that would be rejected anyway by zen et. al. DNSBL checks - they are repeat offenders that have already been firewalled out (thus the MTA never sees the traffic) and adding LaBrea simply adds a trap-the-attacker response to the SYN packet rather than just discarding the traffic. The overall load is *very* small on my end, and falls more on the kernel for BPF matching the packets from the list of tarpitted hosts. The net effect is the load on the MTA is *reduced*. > If the target mailserver offers unlimited connections, sleeping a > while might help (but consume process resources). If it has a > maximum incoming connections setiing, tarpitting would cause the > server to block itself When I say "tarpit" I don't mean an MTA-native "slow the SMTP conversation down" model, I mean a genuine TCP tarpit that plays games with window sizes to trap the attacker - that's what LaBrea does. I don't think the MTA should be tasked with tarpitting. Tarpitting is a job for a dedicated tool. The most an MTA should do along these lines is slowing responses after X number of bad recipient addresses appear (assuming you don't simply terminate the session). But this doesn't really have much to do with SA... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If Microsoft made hammers, everyone would whine about how poorly screws were designed and about how they are hard to hammer in, and wonder why it takes so long to paint a wall using the hammer. --- 144 days until the Mars Phoenix lander arrives at Mars
Re: DDOS, Dictionary Attack... not sure what it is...
John D. Hardin wrote: > On Tue, 1 Jan 2008, mouss wrote: > > >> Tarpitting may not be the right answer, because "they" have a lot >> more resources than us >> > > I may have misunderstood what Mike was saying in his original post - I > thought that the traffic was originating from a single IP and that was > what he had firewalled. Later messages indicate he's being flooded by > a botnet and he'd firewalled his local IP, so tarpitting is obviously > a less attractive solution - but, consider: if a few thousand bots get > snared in his tarpit, are they blocked from spamming others for as > long as they are snared? A tarpit is as much a community defense as it > is a personal defense. > This assumes that a lot of people use tarpitting, but it doesn't seem to be so AFAIK. I don't know how botnet spamware is coded, but given the advances in botnet practices, I would bet their "developpers" are skilled enough to code an asynchronous client with non blocking IO. so while keeping them connected for some time means the client system will have more open connections, this isn't enough to get them noticed. > Agreed, a DNSBL using the zen list is a better way to defend against a > spambot network. > at least as long as zombies aren't blocked by local firewalls or by their ISPs!
Re: DDOS, Dictionary Attack... not sure what it is...
>> >> On Tue, 1 Jan 2008, mouss wrote: >> >> > John D. Hardin wrote: >> > > On Mon, 31 Dec 2007, Mike Cisar wrote: >> > > >> > > >> > >> Even tried yanking the IP address off of the server over the >> > >> holidays in the hope that whatever it was would just give up. No >> > >> such luck, within a minute of reactivating the IP to the server >> > >> this morning the traffic was back to full flow. >> > > >> > > Tarpit 'em. >> > > >> > > http://sourceforge.net/projects/labrea >> > >> > Tarpitting may not be the right answer, because "they" have a lot >> > more resources than us >> >> I may have misunderstood what Mike was saying in his original post - I >> thought that the traffic was originating from a single IP and that was >> what he had firewalled. Later messages indicate he's being flooded by >> a botnet and he'd firewalled his local IP, so tarpitting is obviously >> a less attractive solution - but, consider: if a few thousand bots get >> snared in his tarpit, are they blocked from spamming others for as >> long as they are snared? A tarpit is as much a community defense as it >> is a personal defense. I would guess that spambots would work sequentially (or probably a fixed number of processes sending sequentially) so that they - and others they want to send to - benefit from tarpitting. However, labrea may be great software ... but it is certainly not the software one wants to compete with a live machine for incoming connections. If the target mailserver offers unlimited connections, sleeping a while might help (but consume process resources). If it has a maximum incoming connections setiing, tarpitting would cause the server to block itself Wolfgang Hamann
Re: DDOS, Dictionary Attack... not sure what it is...
On Tue, 1 Jan 2008, mouss wrote: > John D. Hardin wrote: > > On Mon, 31 Dec 2007, Mike Cisar wrote: > > > > > >> Even tried yanking the IP address off of the server over the > >> holidays in the hope that whatever it was would just give up. No > >> such luck, within a minute of reactivating the IP to the server > >> this morning the traffic was back to full flow. > > > > Tarpit 'em. > > > > http://sourceforge.net/projects/labrea > > Tarpitting may not be the right answer, because "they" have a lot > more resources than us I may have misunderstood what Mike was saying in his original post - I thought that the traffic was originating from a single IP and that was what he had firewalled. Later messages indicate he's being flooded by a botnet and he'd firewalled his local IP, so tarpitting is obviously a less attractive solution - but, consider: if a few thousand bots get snared in his tarpit, are they blocked from spamming others for as long as they are snared? A tarpit is as much a community defense as it is a personal defense. Agreed, a DNSBL using the zen list is a better way to defend against a spambot network. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- W-w-w-w-w-where did he learn to n-n-negotiate like that? --- 144 days until the Mars Phoenix lander arrives at Mars
Re: DDOS, Dictionary Attack... not sure what it is...
On Tue, 1 Jan 2008, mouss wrote: Matthias Schmidt wrote: best wishes to everybody, even spam senders ;-p (but spam won't be tolerated, even today!). Dunno about you, but after a significant increase in greeting card spam today I had to rescind any wishes towards spammers that got away from me earlier :-p. Best wishes for all (err... okay... "everyone else") and may 2008 be a spamless year!
Re: DDOS, Dictionary Attack... not sure what it is...
Matthias Schmidt wrote: > Happy New Year everyone :-) > > Am/On Tue, 1 Jan 2008 04:20:42 +0100 schrieb/wrote mouss: > > >> John D. Hardin wrote: >> >>> On Mon, 31 Dec 2007, Mike Cisar wrote: >>> >>> >>> Even tried yanking the IP address off of the server over the holidays in the hope that whatever it was would just give up. No such luck, within a minute of reactivating the IP to the server this morning the traffic was back to full flow. >>> Tarpit 'em. >>> >>> http://sourceforge.net/projects/labrea >>> >>> >> Tarpitting may not be the right answer, because "they" have a lot more >> resources than us (greetpause seems to work, if you use an asynchronous >> server or proxy, i.e. one which can do other things while "sleeping"). >> >> you can reduce the load by having your server drop the connection when >> it rejects the mail, using 421 code. >> depending on the server, it may be possible to do this at connection >> time using zen.spamhaus.org (which lists many zombies). >> >> It may also be good to reduce the timeout when the server is under attack. >> > > but could this not also cause loosing legitimate email? > the timeout must be reduced to a "reasonable" value. currently, most MTAs implement "safe" values (RFC 2821 has some recommendations about the minimum timeout at each stage), but today the internet is faster than it was years ago. you can sniff legitimate traffic and see that it is much faster than your current MTA timeout values. > my server was also under attack 2 or 3 month ago. > I tried the same thing as the op (listing ips in the fw etc), but these > things didn't help at all. > > Most of the mails (>90%) were already dropped, because the ip didn't > resolve (cannot find your hostname), the next 9.9% were caught by > blacklists and only a very little number was rejected, because of > unknown user name. > One possibility might be to do the ip-check already through a hardware- > firewall. > There is one issue here: Normal MTAs would retry if you don't reject them "properly" by the MTA. some MTAs only understand few errors, and you mostly need to reject them at RCPT TO stage. so one needs to drop connections from zombies before they reach the MTA (using zen.spamhaus.org for example), and reject other clients normally. > But one actually can't do anything against the traffic coming to one's > "indoor". > > best wishes to everybody (not to the spamsenders of course ;-) for 2008 > best wishes to everybody, even spam senders ;-p (but spam won't be tolerated, even today!).
Re: DDOS, Dictionary Attack... not sure what it is...
Happy New Year everyone :-) Am/On Tue, 1 Jan 2008 04:20:42 +0100 schrieb/wrote mouss: >John D. Hardin wrote: >> On Mon, 31 Dec 2007, Mike Cisar wrote: >> >> >>> Even tried yanking the IP address off of the server over the >>> holidays in the hope that whatever it was would just give up. No >>> such luck, within a minute of reactivating the IP to the server >>> this morning the traffic was back to full flow. >>> >> >> Tarpit 'em. >> >> http://sourceforge.net/projects/labrea >> > >Tarpitting may not be the right answer, because "they" have a lot more >resources than us (greetpause seems to work, if you use an asynchronous >server or proxy, i.e. one which can do other things while "sleeping"). > >you can reduce the load by having your server drop the connection when >it rejects the mail, using 421 code. >depending on the server, it may be possible to do this at connection >time using zen.spamhaus.org (which lists many zombies). > >It may also be good to reduce the timeout when the server is under attack. but could this not also cause loosing legitimate email? my server was also under attack 2 or 3 month ago. I tried the same thing as the op (listing ips in the fw etc), but these things didn't help at all. Most of the mails (>90%) were already dropped, because the ip didn't resolve (cannot find your hostname), the next 9.9% were caught by blacklists and only a very little number was rejected, because of unknown user name. One possibility might be to do the ip-check already through a hardware- firewall. But one actually can't do anything against the traffic coming to one's "indoor". best wishes to everybody (not to the spamsenders of course ;-) for 2008 Matthias
Re: DDOS, Dictionary Attack... not sure what it is...
John D. Hardin wrote: > On Mon, 31 Dec 2007, Mike Cisar wrote: > > >> Even tried yanking the IP address off of the server over the >> holidays in the hope that whatever it was would just give up. No >> such luck, within a minute of reactivating the IP to the server >> this morning the traffic was back to full flow. >> > > Tarpit 'em. > > http://sourceforge.net/projects/labrea > Tarpitting may not be the right answer, because "they" have a lot more resources than us (greetpause seems to work, if you use an asynchronous server or proxy, i.e. one which can do other things while "sleeping"). you can reduce the load by having your server drop the connection when it rejects the mail, using 421 code. depending on the server, it may be possible to do this at connection time using zen.spamhaus.org (which lists many zombies). It may also be good to reduce the timeout when the server is under attack.
RE: DDOS, Dictionary Attack... not sure what it is...
--On Monday, December 31, 2007 4:00 PM -0700 Mike Cisar <[EMAIL PROTECTED]> wrote: I haven't counted, but based on the flow, I'd estimate I've seen about 1000 distinct IP's... that is what leads me to believe it's some sort of distributed attack. There are some repeat recipients, from different IP's at different times. Like a whole bunch of little zombies all working off of the same list. That's what a spam botnet looks like. There are usually a few hundred thousand hosts working the same list. If you have not seen this many times before, lucky you. Joseph Brennan Columbia University Information Technology
Re: DDOS, Dictionary Attack... not sure what it is...
Mike Cisar <[EMAIL PROTECTED]> wrote: They don't seem to be coming from any consistent IP address (or region). Problem is of course that the mailserver's connections get tied up processing rejecting this crap (and of course it's chewing up my transfer allocation bit by tiny bit). The addresses are similar to these... IgnaciogalvestonBriggs@ DallasexhibitionAlvarado@ ReginaldFleming@ I see them here too (columbia.edu). Sometimes the sender domain does not exist, and otherwise the recipient is no good. There are not many that get as far as a milter, but here are some. Looks like gambling. Example 1: Rejected for a one-word HELO (i.e. it had no dots). Its subject was "Single-hand blackjack.." Example 2: Sender host was in Spamhaus. "Come see what it means to be a VIP." Example 3: Another Spamhaus catch. "Get your bonus and walk the red carpet to winnings and fun." Note in passing, envelope senders =~ /<[A-Z][a-z]+[A-Z][a-z]\@/ seem to be quite rare, other than spam. I don't know what is in the header From: since I can't find any reported to us. The unknown senders and recipients should be a fast rejection. You can stop at MAIL or RCPT. You can't get better than that unless you can reject by sender IP, which is not practical with a botnet. Joseph Brennan Columbia University Information Technology
RE: DDOS, Dictionary Attack... not sure what it is...
> > I'm not sure whether it's supposed to be a DDOS attack, a dictionary > attack, > > bunch-o-bots or what. Since about the 26th of Dec I've had one > particular > > mailserver that has been dealing with a constant stream of crap... > That is, if a specific IP address tries sending to bad users more than > X > number of times, it then blocks that IP address from connecting at all > for a set period of time. That was my first thought, unfortunately I don't seem to get any more than 1 or 2 attempts from any given IP address (probably due to my server dropping the connection based on some existing configuration I have in place). But the same will then happen from another IP, in a different part of the world, addressed to a different but similar non-existing address... and so on, and so on. I haven't counted, but based on the flow, I'd estimate I've seen about 1000 distinct IP's... that is what leads me to believe it's some sort of distributed attack. There are some repeat recipients, from different IP's at different times. Like a whole bunch of little zombies all working off of the same list. Cheers, > Mike <
Re: DDOS, Dictionary Attack... not sure what it is...
On Mon, 31 Dec 2007, Mike Cisar wrote: > Even tried yanking the IP address off of the server over the > holidays in the hope that whatever it was would just give up. No > such luck, within a minute of reactivating the IP to the server > this morning the traffic was back to full flow. Tarpit 'em. http://sourceforge.net/projects/labrea -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Users mistake widespread adoption of Microsoft Office as the development of a standard document format. --- 145 days until the Mars Phoenix lander arrives at Mars
Re: DDOS, Dictionary Attack... not sure what it is...
Mike Cisar wrote: Hi All, A bit off topic since the users are all unknown so the traffic never makes it to my spamassassin. But I am hoping that someone here may have seen the same thing and have a solution for making the problem "go-away" :-) I'm not sure whether it's supposed to be a DDOS attack, a dictionary attack, bunch-o-bots or what. Since about the 26th of Dec I've had one particular mailserver that has been dealing with a constant stream of crap... all emails to unknown users, all of the email addresses seem consistent (either 3 'syllables'... an uppercased 'syllable', a lowercased 'syllable' and another uppercased 'syllable'... or 2 uppercased 'syllables'). They don't seem to be coming from any consistent IP address (or region). Problem is of course that the mailserver's connections get tied up processing rejecting this crap (and of course it's chewing up my transfer allocation bit by tiny bit). The addresses are similar to these... IgnaciogalvestonBriggs@ DallasexhibitionAlvarado@ ReginaldFleming@ Even tried yanking the IP address off of the server over the holidays in the hope that whatever it was would just give up. No such luck, within a minute of reactivating the IP to the server this morning the traffic was back to full flow. I don't know that it will really help, but I know that on the qmail servers that I've been building, John Simpson wrote a patch that looks for that. It's called validrcptto. It looks for users existing on the system before accepting any emails (using a cdb file format), and rejects those instantly that don't exist.For situations like yours, it has a 'strikes' rule that you can enable. That is, if a specific IP address tries sending to bad users more than X number of times, it then blocks that IP address from connecting at all for a set period of time. Whatever your MTA might be, there may be similar functionality that you can build into the SMTPD process, or at least, that you can put in FRONT of the SMTPD process. Good luck with it!