Large Mail Provider Throttling
As probably many of you have already experienced, we have been hit with mailbombs with forged Hotmail (or other large provider) addresses recently. This has resulted in the large provider throttling our mail flow which forces messages to be placed into our local queue for retry at a later time. This ultimately has resulted in our customers reporting delays in emailing such large providers (ie. Hotmail). To protect ourselves from delayed mail, we have implemented several system wide rules to block Autoreplies and Undeliverable messages from being sent to the large providers. Unfortunately, this has resulted in many complaints from customers (since it's all or nothing). We have so far, left these rules enabled 24x7 since, the system already becomes degraded by the time we realize an event is occurring. I was interested to see what other techniques or steps people have taken to protect themselves from these types of threats and whether they have managed to handle a large #of accounts without preventing AutoReplies and Undeliverable messages to large providers. For instance, has anyone been able to approach such large providers and request special handling of mail coming from their system (higher throttling threshold for example)? Thanks in advance, Edward Gray Director, Operations & Networks Tucows.com Co. egray@tucows.com
Edward Gray wrote:
To protect ourselves from delayed mail, we have implemented several system wide rules to block Autoreplies and Undeliverable messages from being sent to the large providers. Unfortunately, this has resulted in many complaints from customers (since it's all or nothing). We have so far, left these rules enabled 24x7 since, the system already becomes degraded by the time we realize an event is occurring.
You might want to * Use a mailserver that can reject rather than bounce email (that is, a mailserver where the smtpd process has a view of the userdb) * Use a "current spam source" blocklist like cbl.abuseat.org, as well as a good open proxy blocklist like opm.blitzed.org * Set up spamassasin to trash rather than later bounce email that does get through your filters, and has a high enough spam score. * Do some HELO filtering (HELO hotmail.com from an IP with rDNS that doesn't say hotmail? HELO your.own.ip or HELO your.own.domain from an untrusted IP that you don't relay for / that someone hasn't authenticated from? REJECT) :) * I'd add that a simple header check to reject (or preferably, discard) any mail with the string ".mr.outblaze.com" in any Received: header will get rid of a lot of spam for you. There are a few other things, but these will be off topic here. Please feel free to mail me offlist. srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
There is a package that is being developed right now that basically will squelch emails received from some domain.com address if the sending IP address isn't in the list of permitted addresses. Sender Permitted From (http://spf.pobox.com/) attempts to eliminate Joe Dropping from domain.com by doing a look up on a TXT record similar to dccnet.com. IN TXT "v=spf1 mx ptr ip4:24.207.1.0/24 -all". This would block mail, with a FROM: address of *@dccnet.com that didn't relay through any of the MX hosts, originate from any broadband client address (from the prt record) or from the 24.207.1.0 Class C address space. As this project is fairly new, there aren't many large domains making use of it, and the tools available aren't mature enough for some email implementations (mobile users making use of Hot Spots with SMTP Hijacking and no submit port opened) for which the sending users IP address isn't known. However, I do believe this project will pick up favor to help eliminate one source of address forgery, which I believe would have helped in your situation. AOL had made use of this for 24 hours earlier this month and it resulted in the blocking of a large volume of spam addressed from aol.com (not originating from aol.com address space). Hopefully sites like yahoo, hotmail and others Of course the cows have left the barn, but its definitely worth looking at. Cheers, Aaron -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Suresh Ramasubramanian Sent: January 22, 2004 6:15 PM To: Edward Gray Cc: nanog@merit.edu Subject: Re: Large Mail Provider Throttling Edward Gray wrote:
To protect ourselves from delayed mail, we have implemented several system wide rules to block Autoreplies and Undeliverable messages from being sent to the large providers. Unfortunately, this has resulted in many complaints from customers (since it's all or nothing). We have so far, left these rules enabled 24x7 since, the system already becomes degraded by the time we realize an event is occurring.
You might want to * Use a mailserver that can reject rather than bounce email (that is, a mailserver where the smtpd process has a view of the userdb) * Use a "current spam source" blocklist like cbl.abuseat.org, as well as a good open proxy blocklist like opm.blitzed.org * Set up spamassasin to trash rather than later bounce email that does get through your filters, and has a high enough spam score. * Do some HELO filtering (HELO hotmail.com from an IP with rDNS that doesn't say hotmail? HELO your.own.ip or HELO your.own.domain from an untrusted IP that you don't relay for / that someone hasn't authenticated from? REJECT) :) * I'd add that a simple header check to reject (or preferably, discard) any mail with the string ".mr.outblaze.com" in any Received: header will get rid of a lot of spam for you. There are a few other things, but these will be off topic here. Please feel free to mail me offlist. srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Aaron Thomas [1/23/2004 8:28 AM] :
Sender Permitted From (http://spf.pobox.com/) attempts to eliminate Joe Dropping from domain.com by doing a look up on a TXT record similar to [...] As this project is fairly new, there aren't many large domains making use of it, and the tools available aren't mature enough for some email
What I described in my earlier email (helo filtering) is aimed at the same result. Only, it has to be done on a case by case basis. And it does allow road warriors. The second way (slightly more radical, prone to a little more collateral damage, but does stop a LOT of spam) - stop accepting mail from commonly forged freemail domains if the mail originates from an IP with either * no rDNS * generic (dialup / cable / dsl) pattern rDNS -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
participants (3)
-
Aaron Thomas
-
Edward Gray
-
Suresh Ramasubramanian