Distributed Dictonary email slam
We are secondary mx for a specific domain that has been hammered since friday night. We've accumulated literally thousands of email messages in our queue while the primary mx at the customer site is out of service yet again. In looking at the queue it appears that it's one heck of a dictionary based slam. Interesting thing about this is that it is distributed.. entire dictionary destination addresses such as bene*@domain.com come from one host (apparently with a trojan on it or otherwise) while benf*@domain.com come from yet a different host.. and so on down the alphabet all the while constantly changing source hosts.. Now being as we are a secondary mx I'm dropping their record out of our email system as I write this, however, I am curious if other have gone through or are currently going through something of this magnitude (12K spam/dictionary msgs per hour destined to one domain and that's just what is getting past the blacklist checks). Normally I see my spam block daemon at around 10 - 15 concurrent requests.. right now it's tearing along at around 160 - 180 concurrent bad connections. And of course a few suggestions to mitigate this would be appreciated.. I currently employ multiple blacklists such as spamcop.net, abuseat.org, spews level 1 and 2, and spamhaus, plus my own blocklists for china and korea to check on incoming email source addresses.
On Sun, 5 Sep 2004, Matt Hess wrote:
source hosts.. Now being as we are a secondary mx I'm dropping their record out of our email system as I write this, however, I am curious if other have gone through or are currently going through something of this magnitude (12K spam/dictionary msgs per hour destined to one domain and that's just what is
You want to keep a list of valid accounts on the secondary so you can refuse mail for non-existing accounts on the secondary too. If you don't care about yourself -- relize that if, say, all of these mails have a return address forged from the same domain, you will be DOSing THAT site with the bounce messages. This is enough for some people to block mail from you. ========================================================== Chris Candreva -- chris@westnet.com -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
Impossible as the customer does not wish to give us a list. However, I have thought of that and created some perl foo to go through.. identify the queued junk and remove it completely from our queue .. thus no bounce and no delivery. Christopher X. Candreva wrote:
On Sun, 5 Sep 2004, Matt Hess wrote:
source hosts.. Now being as we are a secondary mx I'm dropping their record out of our email system as I write this, however, I am curious if other have gone through or are currently going through something of this magnitude (12K spam/dictionary msgs per hour destined to one domain and that's just what is
You want to keep a list of valid accounts on the secondary so you can refuse mail for non-existing accounts on the secondary too.
If you don't care about yourself -- relize that if, say, all of these mails have a return address forged from the same domain, you will be DOSing THAT site with the bounce messages. This is enough for some people to block mail from you.
========================================================== Chris Candreva -- chris@westnet.com -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
Impossible as the customer does not wish to give us a list.
You want to keep a list of valid accounts on the secondary so you can refuse mail for non-existing accounts on the secondary too.
anyway, as they say, that does not scale randy --- Q: Because it reverses the logical flow of conversation. A: Why is top posting frowned upon?
I completely agree, indeed it does not.. which is why we have now dropped doing secondary mx for this domain. Anyway.. thanks to all who responded on and off list.. gave me a few good ideas to tinker with.. Probably the most notable thing from this is the technical level with which spammers are now employing such a distributed network of spamming zombie type systems in a very directed manner.. and I always pictured them as drooling slobs that stare at blinking lights.. ;) Randy Bush wrote:
Impossible as the customer does not wish to give us a list.
You want to keep a list of valid accounts on the secondary so you can refuse mail for non-existing accounts on the secondary too.
anyway, as they say, that does not scale
randy --- Q: Because it reverses the logical flow of conversation. A: Why is top posting frowned upon?
On Sun, Sep 05, 2004 at 07:58:06PM -0400, Christopher X. Candreva wrote:
On Sun, 5 Sep 2004, Matt Hess wrote:
source hosts.. Now being as we are a secondary mx I'm dropping their record out of our email system as I write this, however, I am curious if other have gone through or are currently going through something of this magnitude (12K spam/dictionary msgs per hour destined to one domain and that's just what is
You want to keep a list of valid accounts on the secondary so you can refuse mail for non-existing accounts on the secondary too.
If you don't care about yourself -- relize that if, say, all of these mails have a return address forged from the same domain, you will be DOSing THAT site with the bounce messages. This is enough for some people to block mail from you.
does anyone have some pointers to a good (possibly radius+sendmail) based approach for checking this? i'd like to have my backup mx host reject mail for non-existant users/aliases as long as the primary is up, but if it's down, it should accept them and queue, plus possibly cache misses for a period of time (24h?) - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
On Mon, 6 Sep 2004, Jared Mauch wrote:
does anyone have some pointers to a good (possibly radius+sendmail) based approach for checking this?
I load rules into the access.db database. lines like this: To:westnet.com ERROR:5.1.1:"550 User unknown" To:chrs@westnet.com OK To:postmaster@westnet.com OK Perl script builds this off /etc/passwd, /etc/aliases, our user database, and whatever else is applicable, rsync distributes to the other machines, make builds the database. I wanted it to be completeely local so that the secondaries could continue to function even if the radius server was down ========================================================== Chris Candreva -- chris@westnet.com -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
On Mon, 6 Sep 2004, Jared Mauch wrote:
does anyone have some pointers to a good (possibly radius+sendmail) based approach for checking this?
Not RADIUS, but Sendmail can do arbitrary LDAP lookups for user-checks. See the README for the details. (and LDAP can itself be distributed, so potentially can scale somewhat). regards, -- Paul Jakma paul@clubi.ie paul@jakma.org Key ID: 64A2FF6A Fortune: Fill what's empty, empty what's full, scratch where it itches. -- Alice Roosevelt Longworth
On Sun, Sep 05, 2004 at 03:39:50PM -0600, Matt Hess wrote:
And of course a few suggestions to mitigate this would be appreciated.. I currently employ multiple blacklists such as spamcop.net, abuseat.org, spews level 1 and 2, and spamhaus, plus my own blocklists for china and korea to check on incoming email source addresses.
Happened to me a few times, which is funny for a 1-man company with very few legit user-ids - >100K requests per day for nonexistent users. I used ipfw to limit each sender to 1 simultaneous conns, turned on sendmail's delay on bad users after 1 and edited the sendmail source to wait 10 sec before responding rather than 1. That seems to have discouraged them some. As has been mentioned, the key is either not to have/be a secondary mx or to make it smart enough to know who's valid, to avoid DoSing the forged senders. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.
participants (6)
-
Barney Wolff -
Christopher X. Candreva -
Jared Mauch -
Matt Hess -
Paul Jakma -
Randy Bush