SMTP flood + spamdb

classic Classic list List threaded Threaded
58 messages Options
123
Reply | Threaded
Open this post in threaded view
|

SMTP flood + spamdb

patrick keshishian
Hi all,

At around 1:40 PM (PDT) my SMTP server started getting flooded
by enormous amount of connections.  The connections were for
seemingly random "users" @my-domain-name.

I'm running spamdb in greylist mode, but these servers were
getting white-listed very quickly.

$ /usr/sbin/spamdb | /usr/bin/grep -c ^WHITE
717

Typical value for above is not more than 20.  Traffic going
in/out of my mail-server is minimal.

I would remove them from the WHITE list and they would fill up
almost immediately.

My guess is someone is using these faked addresses (user@my-domain)
to send out SPAM and I'm getting the bounces from these.

I'm basically looking for opinions as how to combat this problem
right now.  I'm not even 100% on the bounced email theory, but
this had happened to me once before back in May 2003, but the
bounces were mainly from gc.ca domain.

I use gmane to read the list. If not too much to ask, please CC
me on your reply(ies).

Thanks,
--patrick

p.s., Server is running cvs updated -rOPENBSD_4_1 code.

Reply | Threaded
Open this post in threaded view
|

Re: SMTP flood + spamdb

Darrin Chandler
On Sun, Sep 23, 2007 at 03:33:03PM -0700, patrick keshishian wrote:
> At around 1:40 PM (PDT) my SMTP server started getting flooded
> by enormous amount of connections.  The connections were for
> seemingly random "users" @my-domain-name.
>
> I'm running spamdb in greylist mode, but these servers were
> getting white-listed very quickly.
>
> $ /usr/sbin/spamdb | /usr/bin/grep -c ^WHITE
> 717

I've seen something *very* similar. In my case the "user" portions
seemed random at first glance, but some were repeated a LOT. See if you
have that, too. If so, enter those "random" addresses as SPAMTRAP
entries. That way they're blocked for 24 hours, and will reblock
themselves if they persist.

I had also done a log tailer that added to a blacklist, but that turned
out not to be needed with the above. ymmv.

--
Darrin Chandler            |  Phoenix BSD User Group  |  MetaBUG
[hidden email]   |  http://phxbug.org/      |  http://metabug.org/
http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation

Reply | Threaded
Open this post in threaded view
|

Re: SMTP flood + spamdb

patrick keshishian
On 9/23/07, Darrin Chandler <[hidden email]> wrote:

> On Sun, Sep 23, 2007 at 03:33:03PM -0700, patrick keshishian wrote:
> > At around 1:40 PM (PDT) my SMTP server started getting flooded
> > by enormous amount of connections.  The connections were for
> > seemingly random "users" @my-domain-name.
> >
> > I'm running spamdb in greylist mode, but these servers were
> > getting white-listed very quickly.
> >
> > $ /usr/sbin/spamdb | /usr/bin/grep -c ^WHITE
> > 717
>
> I've seen something *very* similar. In my case the "user" portions
> seemed random at first glance, but some were repeated a LOT. See if you
> have that, too. If so, enter those "random" addresses as SPAMTRAP
> entries. That way they're blocked for 24 hours, and will reblock
> themselves if they persist.


They seemed pretty random to me, but I did a quick
check after reading your response and I see 468 unique
"fake" email address @my-domain, only one was
duplicated twice.

This was in the span of about 1 hour, from 13:38 to 14:31
Pacific time.  After which I enabled filtering of SMTP port
'til I figure out what I am going to do.

I can't imagine entering all those address as spamtraps.


Another user suggested greytrapping in private email,
which made me reread spamd(8) a couple of times, at
least the 'GREYTRAPPING' section, which mentions
/etc/mail/spamd.alloweddomains file.  It doesn't specifically
say one could use it to enter valid email address in that
file, but a naive look at the source spamd/grey.c suggests
it could work.  I plan on giving this a try unless someone
from the list advises against it.


Is there anyway one could flush the GREY entries from
spamdb?  I had the problem where I would clear the WHITE
entries that didn't belong, but the WHITE list would grow
rapidly out of control again.

I'm not sure if this is related or not, but I have noticed
that a few times yesterday and once again tonight around 8PM
PDT, spamd-setup failed on ftp with "connection time out".

Thanks for all the replies.



> I had also done a log tailer that added to a blacklist, but that turned
> out not to be needed with the above. ymmv.
>
> --
> Darrin Chandler            |  Phoenix BSD User Group  |  MetaBUG
> [hidden email]   |  http://phxbug.org/      |  http://metabug.org/
> http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation
>


--
"How romantic. Two lovers' first kiss shared on
 the banks of the river Seine" -- LL as CK  (ep.72 s04e06)

Reply | Threaded
Open this post in threaded view
|

Re: SMTP flood + spamdb

Daniel Ouellet
patrick keshishian wrote:
> They seemed pretty random to me, but I did a quick
> check after reading your response and I see 468 unique
> "fake" email address @my-domain, only one was
> duplicated twice.

Put greyscanner from Bob in there and sit back and enjoy the look! (;>

Make sure you pick the version for your OS however. 4.0 and below oppose
to 4.1.

It will take care of that in a hart beat!

Reply | Threaded
Open this post in threaded view
|

Re: SMTP flood + spamdb

Peter Nicolai Mathias Hansteen
In reply to this post by patrick keshishian
"patrick keshishian" <[hidden email]> writes:

> I'm running spamdb in greylist mode, but these servers were
> getting white-listed very quickly.

Then it sounds almost like you were running with a too short passtime,
but then that's easy to adjust.

> At around 1:40 PM (PDT) my SMTP server started getting flooded
> by enormous amount of connections.  The connections were for
> seemingly random "users" @my-domain-name.

We've been seeing a lot of that here, too.  Mostly it's a few (maybe
20) a day to the most widely known domain here, then occasionally
somebody pushes the "generate" button for too long and one domain
almost nobody actually uses gets the bouces for 700+ fake
addresses[1].  Bob Beck's greyscanner is rather effective, as is the
more manual methods I've blogged about the observations quite a bit,
starting with [2].

Short summary for those who are not too interested in blog posts: I
started seeing more than the usual amount of bounce activity in my
mail server log summaries, close enough to what you describe.  So
after a bit of thinking and log browsing I decided this was generated
mainly by misconfigured mail servers bouncing spam.  Then I decided I
wanted to do an experiment, to see if I could poison the well and at
the same time get a feel for the data I was collecting.

I started publishing the fake addresses on a web page[3] as well as
entering them into the list of trap addresses.  I've been seeing
evidence that the addresses are actually being harvested and used as
to-be-spammed addresses too: addresses which are all uppercase on the
web page turning up in the spamd logs and greylist dumps in all
lowercase, addresses which have been on my flypaper list for months
turn up all the time, and we see a steadily growing number of hosts in
TRAPPED state.

My users here are not getting any more spam than they used to (as
close as does not matter to none), false positives are pretty much an
unknown, and it looks like we're succeeding in making the spammers
work harder.

[1] http://bsdly.blogspot.com/2007/08/lady-in-distress-or-then-again-maybe.html
[2] http://bsdly.blogspot.com/2007/07/hey-spammer-heres-list-for-you.html
[3] http://www.bsdly.net/~peter/traplist.html

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply | Threaded
Open this post in threaded view
|

Re: SMTP flood + spamdb

Stuart Henderson
In reply to this post by patrick keshishian
On 2007/09/23 20:53, patrick keshishian wrote:
>
> They seemed pretty random to me, but I did a quick
> check after reading your response and I see 468 unique
> "fake" email address @my-domain, only one was
> duplicated twice.

What's the problem, they'll just be dropped "user unknown"
by your MTA won't they?

Reply | Threaded
Open this post in threaded view
|

Re: SMTP flood + spamdb

patrick keshishian
On 9/24/07, Stuart Henderson <[hidden email]> wrote:
> On 2007/09/23 20:53, patrick keshishian wrote:
> >
> > They seemed pretty random to me, but I did a quick
> > check after reading your response and I see 468 unique
> > "fake" email address @my-domain, only one was
> > duplicated twice.
>
> What's the problem, they'll just be dropped "user unknown"
> by your MTA won't they?

It wouldn't be a problem if it didn't mimic a DDOS attack.
Getting bombarded by many dozen SMTP connection in a very
short time-span iss a bit alarming (at least was to me).

Other than that, I agree, sendmail would drop them as "User
unknown" and that's the end of story.


Btw, your "reply-to" field contains my e-mail address.  Is that
intended?

Cheers,
--patrick

Reply | Threaded
Open this post in threaded view
|

Re: SMTP flood + spamdb

patrick keshishian
In reply to this post by Peter Nicolai Mathias Hansteen
On 9/23/07, Peter N. M. Hansteen <[hidden email]> wrote:
> "patrick keshishian" <[hidden email]> writes:
>
> > I'm running spamdb in greylist mode, but these servers were
> > getting white-listed very quickly.
>
> Then it sounds almost like you were running with a too short passtime,
> but then that's easy to adjust.

The default (which I believe is 25 minutes).


> > At around 1:40 PM (PDT) my SMTP server started getting flooded
> > by enormous amount of connections.  The connections were for
> > seemingly random "users" @my-domain-name.
>
> We've been seeing a lot of that here, too.  Mostly it's a few (maybe
> 20) a day to the most widely known domain here, then occasionally
> somebody pushes the "generate" button for too long and one domain
> almost nobody actually uses gets the bouces for 700+ fake
> addresses[1].  Bob Beck's greyscanner is rather effective, as is the
> more manual methods I've blogged about the observations quite a bit,
> starting with [2].

I have just re-opened my SMTP port which I had shut since 1440
Sunday. Not 1 hour has passed yet and my GREY list is almost
at 300.

I've added about 250 (count at the time) bogus emails to the
greytrap list but since they are unique I don't think it will
help the situation much.

I'm very certain right now, this flood is due to a spammer
using these fake addresses @my-domain-name to spam these mail
server (all around the world -- Japan, South America, US,
Germany, Ireland, etc...) and I'm getting the brunt of it in
the form of these bounced messages.

At this point I think I have no other choice but to wait out
the "storm".


> Short summary for those who are not too interested in blog posts: I
> started seeing more than the usual amount of bounce activity in my
> mail server log summaries, close enough to what you describe.  So
> after a bit of thinking and log browsing I decided this was generated
> mainly by misconfigured mail servers bouncing spam.  Then I decided I
> wanted to do an experiment, to see if I could poison the well and at
> the same time get a feel for the data I was collecting.


When you speak of "misconfigured mail servers bouncing spam",
what exactly is a "proper configured mail server" supposed to
do with spam directed at non-existing user @their-host-name?

Just curious.


FYI, as of now my:

 - GREY list count is 342 (and growing)
 - unique bogus email count is 341
 - ESTABLISHED spamd connection count is 63 (and growing)


This is not fun :-\



> I started publishing the fake addresses on a web page[3] as well as
> entering them into the list of trap addresses.  I've been seeing
> evidence that the addresses are actually being harvested and used as
> to-be-spammed addresses too: addresses which are all uppercase on the
> web page turning up in the spamd logs and greylist dumps in all
> lowercase, addresses which have been on my flypaper list for months
> turn up all the time, and we see a steadily growing number of hosts in
> TRAPPED state.
>
> My users here are not getting any more spam than they used to (as
> close as does not matter to none), false positives are pretty much an
> unknown, and it looks like we're succeeding in making the spammers
> work harder.
>
> [1] http://bsdly.blogspot.com/2007/08/lady-in-distress-or-then-again-maybe.html
> [2] http://bsdly.blogspot.com/2007/07/hey-spammer-heres-list-for-you.html
> [3] http://www.bsdly.net/~peter/traplist.html

Reply | Threaded
Open this post in threaded view
|

Re: SMTP flood + spamdb

Peter Nicolai Mathias Hansteen
"patrick keshishian" <[hidden email]> writes:

> When you speak of "misconfigured mail servers bouncing spam",
> what exactly is a "proper configured mail server" supposed to
> do with spam directed at non-existing user @their-host-name?

The real question in there is, what does a properly configured mail
server do with spam?  My answer is, if it gets as far as content
filtering, drop it as soon as it's classified as spam, don't bounce
it.  Bouncing spam is never useful, the purported return address is
extremely unlikely to be deliverable.

A bounce is only useful for valid messages (which happen to be sent to
a mistyped address), which in our context means that the message has
passed greylisting and most likely some content filtering or other.
In all likelihood you will still bounce to a few bogus ones, but
taking this approach makes you a lot less noisy.

The noise you are seeing is from sites which either don't bother much
with filtering, or if they do, belong to that little cult of "bouncing
spam is good" believers.

>  - GREY list count is 342 (and growing)
>  - unique bogus email count is 341
>  - ESTABLISHED spamd connection count is 63 (and growing)

Unless your spamd box is extremely skinny, none of these figures are
particularly worrying.  spamd allocates IIRC about 12 kilobytes of
buffers per tarpitted host, for greylist entries just another tuple in
the database.

My list of trap addresses, all harvested from stuff from out there, is
just over 2700.  Right now there are 273 hosts in the greylist at the
gateway closest to where I'm sitting (my home net, actually), with 533
in TRAPPED state.

> This is not fun :-\

Well, it should not be a huge problem.  IMO people who fake addresses
in other people's domains should be prosecuted for some variety of
fraud, but with the current level of digital competence in law
enforcement that is just not going to happen.  In the meantime we have
reasonable countermeasures.  See what greyscanner can do for you.

- P
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply | Threaded
Open this post in threaded view
|

Re: SMTP flood + spamdb

Craig Skinner
In reply to this post by patrick keshishian
patrick keshishian wrote:

>
> I'm very certain right now, this flood is due to a spammer
> using these fake addresses @my-domain-name to spam these mail
> server (all around the world -- Japan, South America, US,
> Germany, Ireland, etc...) and I'm getting the brunt of it in
> the form of these bounced messages.
>
> At this point I think I have no other choice but to wait out
> the "storm".
>

Read up on "backscatter spam".

This is a deliberate attack on your domain.

How it works:

A spammer uses infected home user boxes to send random mail to various
domains, with fake random addresses in your domain as the from or
reply-to address.

When the target domain of the initial domain does not do recipient
validation at the smtp connection stage (as it should do), but spools
and then rejects the mail - to you, hence you are the real target.

Greylisting is of no use whatsoever because the servers sending the
bounces to you are actual smtp boxes (sendmail, extrange, ....), not
malware, so they will quickly bypass spamd. Spamd greytraps will help a
great deal, but you say that the addresses are random.


How to cope with it:

All you can do is make sure that you reject mail for unknown users at
the smtp connection stage. You can rate limit most mail daemons so they
don't overwhelm your box. Don't worry about it, I sometimes have up to
1300 messages a minute hitting my PII 350 box on a 500M ADSL and can not
tell the difference when surfing about.


How to run a mailserver:

Reject mail for unknown users at the initial smtp connection stage.

For valid users; either reject spam at the smtp connection stage, or
spool it, process it later, tag it as spam and deliver it to the user's
spam box - do not bounce it later as you will then be generating
backscatter for some other poor soul.

Note: some versions of exchange can not do recipient validation at the
smtp connection stage, so this will always be a problem, and is yet
another reason never to have exchange as an internet facing mail server.

Reply | Threaded
Open this post in threaded view
|

Re: SMTP flood + spamdb

Peter Nicolai Mathias Hansteen
Craig Skinner <[hidden email]> writes:

> malware, so they will quickly bypass spamd. Spamd greytraps will help
> a great deal, but you say that the addresses are random.

I think what happened here is that somebody let the random address
generator run for longer than intended.  

One or more spammer groups has been doing similar things to some of
the domains I admin for some months now, and the typical rate of new,
essentially random, addresses found per day is about 20, sometimes as
high as 50, and in one case more than 700.  That last one was probably
a case of asleep at the wheel too.

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply | Threaded
Open this post in threaded view
|

Re: SMTP flood + spamdb

Stuart Henderson
In reply to this post by patrick keshishian
On 2007/09/25 00:08, patrick keshishian wrote:
>
> I'm very certain right now, this flood is due to a spammer
> using these fake addresses @my-domain-name to spam these mail
> server (all around the world -- Japan, South America, US,
> Germany, Ireland, etc...) and I'm getting the brunt of it in
> the form of these bounced messages.
>
> At this point I think I have no other choice but to wait out
> the "storm".

If it's compatible with how you use the domain, it might help
to publish SPF records.

> When you speak of "misconfigured mail servers bouncing spam",
> what exactly is a "proper configured mail server" supposed to
> do with spam directed at non-existing user @their-host-name?

The correct behaviour is to reject it at the SMTP port, rather
than issue a bounce.

Also: all hosts listed in MX records should be aware of the
list of valid users and do the same. For sendmail, this is easy
to do with the access map. For Postfix, relay_recipient_maps.

> FYI, as of now my:
>
>  - GREY list count is 342 (and growing)
>  - unique bogus email count is 341
>  - ESTABLISHED spamd connection count is 63 (and growing)
>
> This is not fun :-\

These are bounces, so they'll be coming from MTAs with retry
queues, so they generally will make it through to the real MTA
after (a minimum of) 3 retry attempts.

Depending on how many "normal" spams that spamd saves you
from, it may be a hindrance to use greylisting here. It might
be better just to get these mails handled quickly and out of
the sender's queues (depends on your bandwidth situation).

On 2007/09/24 20:01, patrick keshishian wrote:
> Btw, your "reply-to" field contains my e-mail address.  Is that
> intended?

Mail-Followup-To, actually - yes. It wouldn't totally surprise
me if gmail is doing something unexpected with it, though (-:

Reply | Threaded
Open this post in threaded view
|

Re: SMTP flood + spamdb

Peter Nicolai Mathias Hansteen
Stuart Henderson <[hidden email]> writes:

> If it's compatible with how you use the domain, it might help
> to publish SPF records.

I suppose I'll never know how many receivers of spam claiming to be
from [hidden email] (yes, fresh from the source) and friends
actually acted on the SPF info for the domain and skipped sending a
bounce, but the ones that don't use SPF in any meaningful way still
generate significant backscatter.  Once [hidden email] is a
spamtrap it won't matter much of course, except for any valid mail
which might happen to venture out from the same IP address to somebody
at datadok.no.

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply | Threaded
Open this post in threaded view
|

Re: SMTP flood + spamdb

Stuart Henderson
In reply to this post by Stuart Henderson
On 2007/09/25 10:29, Stuart Henderson wrote:
> Also: all hosts listed in MX records should be aware of the
> list of valid users and do the same. For sendmail, this is easy
> to do with the access map.

I had a question off-list about how to do this, so I guess
some other people will benefit from an example of how to set
this up.

To:domain.com            error:550 5.1.1 No such user
To:[hidden email] OK
To:[hidden email]      OK
To:[hidden email]      OK

then (cd /etc/mail; sudo makemap hash access < access)

Reply | Threaded
Open this post in threaded view
|

Re: SMTP flood + spamdb

Rod Whitworth-3
In reply to this post by Craig Skinner
On Tue, 25 Sep 2007 09:38:10 +0100, Craig Skinner wrote:


>Greylisting is of no use whatsoever because the servers sending the
>bounces to you are actual smtp boxes (sendmail, extrange, ....), not
>malware, so they will quickly bypass spamd. Spamd greytraps will help a
>great deal, but you say that the addresses are random.
>
>
I've snipped all the content (which I largely  agree with) above and
below this paragraph to recount my experience which started about a
fortnight ago and ran for about a week.

Log analysis showed that there were two classes of incoming unwanted
crap.

One was bounced mail that should have been rejected as "invalid
recipient" mail at the original target. That included an mx at
aph.gov.au, the Australian Federal Parliamnet House. Yep, the pollies
who want ISPs to block websites on request and who spent $84mil on a
kiddie-filter that some 10-year old bypassed in ten minutes,

The others were from bots as far as I could tell but they were not
being sent by MTAs which had received them.

My defence was to write a couple of scripts. One parsed the output of
spamdb looking for GREY with sender <> and then tested the intended
recipient against the postfix valid mailbox database. If it failed then
the sender IP was added to a pf table that was outright blacklisted for
24 hours. The other script did housekeeping and added sender IPs to the
TRAPPED category in case they retried later.

The blacklist grew rapidly to over 1200 unique addresses but then
petered out after a few days and I turned off the cron jobs running the
scripts at day nine.

So greylisting/spamd did a hell of a good job for me. I would not have
been able to block traffic from all those crappily configured boxes
(MTAs mostly qmail or windows) unless I had a greylist database to scan
every few minutes.

Peter H and Beck@ know what they are doing alright and do good papers
on it.
Thanks.
R/

Me...a skeptic?  I trust you have proof.

Reply | Threaded
Open this post in threaded view
|

Re: SMTP flood + spamdb

Liviu Daia
On 25 September 2007, RW <[hidden email]> wrote:
[...]
> My defence was to write a couple of scripts. One parsed the output of
> spamdb looking for GREY with sender <> and then tested the intended
> recipient against the postfix valid mailbox database.
[...]

    With Postfix you can use anvil(8) to control concurrency.

    Regards,

    Liviu Daia

--
Dr. Liviu Daia                                  http://www.imar.ro/~daia

Reply | Threaded
Open this post in threaded view
|

Re: SMTP flood + spamdb

Peter Nicolai Mathias Hansteen
In reply to this post by Rod Whitworth-3
"RW" <[hidden email]> writes:

> One was bounced mail that should have been rejected as "invalid
> recipient" mail at the original target. That included an mx at
> aph.gov.au, the Australian Federal Parliamnet House. Yep, the pollies
> who want ISPs to block websites on request and who spent $84mil on a
> kiddie-filter that some 10-year old bypassed in ten minutes,

You did buy a nice frame to put that in, I hope? ;)

I've been noticing that the generated junk addresses which were
originally used as from addresses on spam sent to elsewhere
(generating the bounces we see here) tend to resurface pretty soon in
my greylists as to addresses on attempted incoming spam.  I also see
quite a few attempts at reaching actually deliverable addresses in our
domains with a fake from address.  So I think it may be just a matter
of time before I see spam where both to and from are already in my
spamtraps.

(and thanks, RW)

- P
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply | Threaded
Open this post in threaded view
|

Re: SMTP flood + spamdb

Craig Skinner
In reply to this post by Stuart Henderson
Stuart Henderson wrote:
>
> I had a question off-list about how to do this, so I guess
> some other people will benefit from an example of how to set
> this up.
>


If you are using postfix:

/etc/postfix/main.cf:
..
..
smtpd_recipient_restrictions =
         reject_non_fqdn_hostname
         reject_invalid_hostname
         reject_non_fqdn_sender
         reject_non_fqdn_recipient
         reject_unlisted_recipient <-- this one
         reject_unlisted_sender
        reject_unknown_reverse_client_hostname
         warn_if_reject    reject_unknown_client_hostname
         reject_unknown_helo_hostname
         reject_unknown_sender_domain
         reject_unknown_recipient_domain
         permit_mynetworks
         reject_unauth_destination
        ...
        ...
        ...
unknown_address_reject_code = 554
alias_maps = btree:$config_directory/aliases


/etc/postfix/aliases:
..
..
joe.bloggs jb123456
joe jb123456
bloggs jb123456


$ sudo postfix reload

Reply | Threaded
Open this post in threaded view
|

Re: SMTP flood + spamdb

Craig Skinner
In reply to this post by Rod Whitworth-3
RW wrote:
>
> The others were from bots as far as I could tell but they were not
> being sent by MTAs which had received them.
>

Yes, but the OPs problem is back scatter, and that does not come from
bots, they don't retry.

$ man spamd:

DESCRIPTION
      spamd is a fake sendmail(8)-like daemon which rejects false mail.
      It is designed to be very efficient so that it does not slow down
      the receiving machine.
..
..
      greylisted hosts are redirected to spamd, but spamd has not yet
      decided if they are likely spammers.  They are given a temporary
      failure message by spamd when they try to deliver mail.


Greylisting works brilliantly for bots, but wont help with hosts that
retry, as is the case in back scatter.

If the OP was repeatedly getting mail to a few addresses from different
hosts, he could use grey trapping. But he said that they are all random.

Reply | Threaded
Open this post in threaded view
|

Re: SMTP flood + spamdb

Chris Smith-7
In reply to this post by Craig Skinner
On Tuesday 25 September 2007, Craig Skinner wrote:

> If you are using postfix:
>
> /etc/postfix/main.cf:
> ..
> ..
> smtpd_recipient_restrictions =
>          reject_non_fqdn_hostname
>          reject_invalid_hostname
>          reject_non_fqdn_sender
>          reject_non_fqdn_recipient
>          reject_unlisted_recipient      <-- this one

Isn't this actually a postfix default?
As smtpd_reject_unlisted_recipient defaults to yes.

--
Chris

123