Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Advice on how to handle NDR and DSN Attack
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
SmegTheLight
Tux's lil' helper
Tux's lil' helper


Joined: 05 Jul 2002
Posts: 97
Location: 3rd Planet
PostPosted: Tue Oct 07, 2008 10:57 pm    Post subject: Advice on how to handle NDR and DSN Attack Reply with quote
Using Postfix2.5.2/Amavis-New/Spamassassin/Clamd

About 10 hours ago, one of our email accounts became the unwitting "From" line for some spammer of the day.
Since then, the NDR/DSN bounce messages have been flooding in at about 200-300 / minute.

We've had this in the past, but nothing of this scale.

Using postfix, I have blocked the email address in question, but that is preventing ALL mail from making it in.

I have checked out the Postfix Backscatter howto at http://www.postfix.org/BACKSCATTER_README.html, but the header/body checks there only work if someone is actually trying to pretend to be you. Everything would work great if all the mail servers blocked SENDING NDR/DSN's back from blatantly bogus server, but they don't - none of the "received froms" even have a portion of my domain in them. :?

It looks like I am going to have to try and figure out a funky regex to reject everything EXCEPT the valid "received from"..Argh !!

I realize I am stuck with the traffic and extra load on the servers until the storm hopefully passes,
but does anyone have any other ideas to filter out the crap bounce messages so at least some normal mail can make it in ?
Back to top
View user's profile Send private message
SeaTiger
l33t
l33t


Joined: 22 Nov 2007
Posts: 603
Location: Toronto, Ontario, Canada
PostPosted: Wed Oct 08, 2008 1:42 am    Post subject: Reply with quote
Do you have rbl client in your main.cf?
Back to top
View user's profile Send private message
SmegTheLight
Tux's lil' helper
Tux's lil' helper


Joined: 05 Jul 2002
Posts: 97
Location: 3rd Planet
PostPosted: Wed Oct 08, 2008 3:21 am    Post subject: Reply with quote
I have reject_rbl_client zen.spamhaus.org in my smtpd_recipient_restrictions.

This isn't just idle spam trying to get to me as a delivery failure notice, but actual delivery failure notices from what looks like many thousands of legitimate, though poorly configured mail hosts.

I have just added the blocklist from http://www.backscatterer.org and it is helping a bit.
Back to top
View user's profile Send private message
SeaTiger
l33t
l33t


Joined: 22 Nov 2007
Posts: 603
Location: Toronto, Ontario, Canada
PostPosted: Wed Oct 08, 2008 4:44 am    Post subject: Reply with quote
Thank you! Actually you help me in return. I wasn't using backscatterer before.

Well, my company server used to get like 30k to 40k junk email connections base on logwatch, which were all blocked by rbl. And will rbl, as long as they are blocked, the server don't have much load since the connection is actaully dropped, therefore the actual junk mail don't come in at all. That saved lots of bandwidth too. The only side effect is that my logwatch email is looooooooooong 8O
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy