On Wed, 2008-03-26 at 07:23 -0400, Rodolfo Alcazar Portillo wrote: > Hello. Since monday, our mailserver (FC5), behind a firewall, is > suffering a heavy DoS mail attack. We have a user account, > amanda.davila@xxxxxxxxxxxx and it is receiving millions of emails from > very different sites of the planet. Since now, my only action was > deleting the account from /etc/password, and the traffic permits > working. We suspect a virus attack... > > What else can we do? We would appreciate any help with this issue. Here, > a 20 seconds log by 07:15 GMT-4 (too early, many pcs off). ---- That account has likely been 'Joe Jobbed' and you are seeing the backscatter. Google 'Joe Job' or find it on Wikipedia for an explanation. If you have a mail server, an account, and e-mails arriving, there's little you can do in a specific sense but you have to evaluate your overall mail scheme. I will explain in a general way, how I set up my mail servers and perhaps this may help. I use postfix but the only difference I have found between postfix and sendmail is that postfix is a little easier to setup/maintain. My first 'defense' is greylisting, run as a policy in postfix. Greylisting maintains a database (MySQL) primarily using a table of 'tuples' of sender, recipient, mailhost (smtp server trying to deliver the mail). Greylisting sends a tempfail on the first attempt by sender, to recipient from particular mail server. This eliminates much e-mail sent by 'bot' systems that are just spraying e-mail around and are not true SMTP servers and thus don't attempt 're-delivery' My second defense is to use rbl's (abuseat / spamhaus / dsbl) to otherwise block KNOWN blacklisted sources My third defense is to require: - reverse DNS of sender - fqdn of sender - valid hostname - valid recipient This all happens before I choose to accept mail. Once I have accepted e-mail, it is shuffled to 'MailScanner' which is a wrapper program that sends e-mail through clamav and then through spamassassin, where it is cleaned and scored. Finally, I have 'sieve' rules for all users which puts high spam score e-mails into a users 'SPAMBOX' folder of which everything that is older than 7 days is automatically cleaned out. The notion of rejecting most e-mail before you ever accept it is really, really important because it minimizes the very expensive computing costs of inspection by clamav and spamassassin. Craig
