Mail Attack
Jessica Zhu
jessica at mathforum.org
Tue Aug 23 19:54:48 UTC 2005
On Wed, 24 Aug 2005, Aroop Maliakkal wrote:
> Steve Phillips wrote:
>
> > Jessica Zhu wrote:
> >
> >> That's exactly what happened to us. Somebody outside of our
> >> organization forged the From: addresses and we became the victim to
> >> that. At this point, it seemed that our syslog is so busy to write
> >> the maillog that it becomes a heavy process. This morning around 8AM,
> >> this drives our system load over 20 and the system becomes slower and
> >> slower. Now it seemed the worst time is over. However, I worried with
> >> such baounced back volumes increasing, our system can not afford to
> >> it finally.
> >>
> >>
> >> All the messages come to random usernames. A lot don't exist.
> >>
> >>
> >>> sendmail to discard those and that will help the flood a bit. If
> >>> they're random, you can't block by source and you can't block by
> >>> destination. Not good...
> >>>
> >>> No penalty is severe enough for a spammer.
> > in syslog.conf add a - to the start of the filename like so
> >
> > mail.*<tab><tab><tab>-/var/log/maillog
> >
> > The - tells syslog not to do an fsync each message and _really_
> > reduces syslog load when it is busy, this will probably bring your
> > mail server under a little more control.
> >
> > The next thing to do is examine the bounce messages and find out where
> > this originated and ring them. If this is still ongoing and they have
> > not terminated the spammer then add a postmaster redirect for that
> > domain temporarily to the postmaster at unresponsive.isp.com and you will
> > find the problem gets fixed usually within hours.
> >
> > This happened to me with an AOL user spamming using <random
> > characters>@internet.co.nz and i was getting a few thousand messages
> > an hour comming into my postmaster account, after being told by a
> > monkey to "forward the spam to postmaster at aol.com sir !" and refusing
> > to discuss the issue I forwarded the 50,000 odd boounces I had
> > collected and added a redirect and within about a day it had stopped.
> >
> > The big trick is to find the originator. - If you need help with this
> > them let us know and we can probably track them down for you.
> >
> Another option is (Just a thought) :- to Null route the mx record of
> the domain to which bounce is coming....if it is possible give low ttl
> value....It will take some time to get the result in effect because mx
> will be cached by most of isps.
>
>
I'm afraid that I cannot do that since a lot of domain is legitimate.
Jessica
More information about the redhat-list
mailing list