[OT] HELP!!! mail attack
Craig White
craigwhite at azapple.com
Wed Mar 26 12:12:33 UTC 2008
On Wed, 2008-03-26 at 07:23 -0400, Rodolfo Alcazar Portillo wrote:
> Hello. Since monday, our mailserver (FC5), behind a firewall, is
> suffering a heavy DoS mail attack. We have a user account,
> amanda.davila at padep.org.bo and it is receiving millions of emails from
> very different sites of the planet. Since now, my only action was
> deleting the account from /etc/password, and the traffic permits
> working. We suspect a virus attack...
>
> What else can we do? We would appreciate any help with this issue. Here,
> a 20 seconds log by 07:15 GMT-4 (too early, many pcs off).
----
That account has likely been 'Joe Jobbed' and you are seeing the
backscatter. Google 'Joe Job' or find it on Wikipedia for an
explanation.
If you have a mail server, an account, and e-mails arriving, there's
little you can do in a specific sense but you have to evaluate your
overall mail scheme.
I will explain in a general way, how I set up my mail servers and
perhaps this may help.
I use postfix but the only difference I have found between postfix and
sendmail is that postfix is a little easier to setup/maintain.
My first 'defense' is greylisting, run as a policy in postfix.
Greylisting maintains a database (MySQL) primarily using a table of
'tuples' of sender, recipient, mailhost (smtp server trying to deliver
the mail). Greylisting sends a tempfail on the first attempt by sender,
to recipient from particular mail server. This eliminates much e-mail
sent by 'bot' systems that are just spraying e-mail around and are not
true SMTP servers and thus don't attempt 're-delivery'
My second defense is to use rbl's (abuseat / spamhaus / dsbl) to
otherwise block KNOWN blacklisted sources
My third defense is to require:
- reverse DNS of sender
- fqdn of sender
- valid hostname
- valid recipient
This all happens before I choose to accept mail.
Once I have accepted e-mail, it is shuffled to 'MailScanner' which is a
wrapper program that sends e-mail through clamav and then through
spamassassin, where it is cleaned and scored.
Finally, I have 'sieve' rules for all users which puts high spam score
e-mails into a users 'SPAMBOX' folder of which everything that is older
than 7 days is automatically cleaned out.
The notion of rejecting most e-mail before you ever accept it is really,
really important because it minimizes the very expensive computing costs
of inspection by clamav and spamassassin.
Craig
More information about the fedora-list
mailing list