Craig White wrote:
On Wed, 2008-03-26 at 07:23 -0400, Rodolfo Alcazar Portillo wrote:
Hello. Since monday, our mailserver (FC5), behind a firewall, is
suffering a heavy DoS mail attack. We have a user account,
amanda.davila@xxxxxxxxxxxx and it is receiving millions of emails from
very different sites of the planet. Since now, my only action was
deleting the account from /etc/password, and the traffic permits
working. We suspect a virus attack...
What else can we do? We would appreciate any help with this issue. Here,
a 20 seconds log by 07:15 GMT-4 (too early, many pcs off).
----
That account has likely been 'Joe Jobbed' and you are seeing the
backscatter. Google 'Joe Job' or find it on Wikipedia for an
explanation.
If you have a mail server, an account, and e-mails arriving, there's
little you can do in a specific sense but you have to evaluate your
overall mail scheme.
I will explain in a general way, how I set up my mail servers and
perhaps this may help.
I use postfix but the only difference I have found between postfix and
sendmail is that postfix is a little easier to setup/maintain.
My first 'defense' is greylisting, run as a policy in postfix.
Greylisting maintains a database (MySQL) primarily using a table of
greylisting is of limited use, spammers know that technique and how to
work around it. Otherwise we're in pretty fair agreement.
'tuples' of sender, recipient, mailhost (smtp server trying to deliver
the mail). Greylisting sends a tempfail on the first attempt by sender,
to recipient from particular mail server. This eliminates much e-mail
sent by 'bot' systems that are just spraying e-mail around and are not
true SMTP servers and thus don't attempt 're-delivery'
My second defense is to use rbl's (abuseat / spamhaus / dsbl) to
otherwise block KNOWN blacklisted sources
My third defense is to require:
- reverse DNS of sender
- fqdn of sender
- valid hostname
- valid recipient
This all happens before I choose to accept mail.
Once I have accepted e-mail, it is shuffled to 'MailScanner' which is a
wrapper program that sends e-mail through clamav and then through
spamassassin, where it is cleaned and scored.
Finally, I have 'sieve' rules for all users which puts high spam score
e-mails into a users 'SPAMBOX' folder of which everything that is older
than 7 days is automatically cleaned out.
The notion of rejecting most e-mail before you ever accept it is really,
really important because it minimizes the very expensive computing costs
of inspection by clamav and spamassassin.
Craig
--
Cheers
John
-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxx
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)