[OT] HELP!!! mail attack

John Summerfield debian at herakles.homelinux.org
Wed Mar 26 15:02:23 UTC 2008 

Craig White wrote:
> On Wed, 2008-03-26 at 07:23 -0400, Rodolfo Alcazar Portillo wrote:
>> Hello. Since monday, our mailserver (FC5), behind a firewall, is
>> suffering a heavy DoS mail attack. We have a user account,
>> amanda.davila at padep.org.bo and it is receiving millions of emails from
>> very different sites of the planet. Since now, my only action was
>> deleting the account from /etc/password, and the traffic permits
>> working. We suspect a virus attack...
>>
>> What else can we do? We would appreciate any help with this issue. Here,
>> a 20 seconds log by 07:15 GMT-4 (too early, many pcs off).
> ----
> That account has likely been 'Joe Jobbed' and you are seeing the
> backscatter. Google 'Joe Job' or find it on Wikipedia for an
> explanation.
> 
> If you have a mail server, an account, and e-mails arriving, there's
> little you can do in a specific sense but you have to evaluate your
> overall mail scheme.
> 
> I will explain in a general way, how I set up my mail servers and
> perhaps this may help.
> 
> I use postfix but the only difference I have found between postfix and
> sendmail is that postfix is a little easier to setup/maintain.
> 
> My first 'defense' is greylisting, run as a policy in postfix.
> Greylisting maintains a database (MySQL) primarily using a table of

greylisting is of limited use, spammers know that technique and how to 
work around it. Otherwise we're in pretty fair agreement.



> 'tuples' of sender, recipient, mailhost (smtp server trying to deliver
> the mail). Greylisting sends a tempfail on the first attempt by sender,
> to recipient from particular mail server. This eliminates much e-mail
> sent by 'bot' systems that are just spraying e-mail around and are not
> true SMTP servers and thus don't attempt 're-delivery'
> 
> My second defense is to use rbl's (abuseat / spamhaus / dsbl) to
> otherwise block KNOWN blacklisted sources
> 
> My third defense is to require:
>  - reverse DNS of sender
>  - fqdn of sender
>  - valid hostname
>  - valid recipient
> 
> This all happens before I choose to accept mail.
> 
> Once I have accepted e-mail, it is shuffled to 'MailScanner' which is a
> wrapper program that sends e-mail through clamav and then through
> spamassassin, where it is cleaned and scored.
> 
> Finally, I have 'sieve' rules for all users which puts high spam score
> e-mails into a users 'SPAMBOX' folder of which everything that is older
> than 7 days is automatically cleaned out.
> 
> The notion of rejecting most e-mail before you ever accept it is really,
> really important because it minimizes the very expensive computing costs
> of inspection by clamav and spamassassin.
> 
> Craig
> 


-- 

Cheers
John

-- spambait
1aaaaaaa at coco.merseine.nu  Z1aaaaaaa at coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

More information about the fedora-list mailing list