Loading ...
Sorry, an error occurred while loading the content.

being mailbombed..or something

Expand Messages
  • JD Bronson
    I am looking for any advice on how to mitigate an attack. I appear to be under attack from IPs all over the world attempting to send email to one of my domains
    Message 1 of 20 , Jan 1, 2008
    • 0 Attachment
      I am looking for any advice on how to mitigate an attack.

      I appear to be under attack from IPs all over the world attempting
      to send email to one of my domains with all invalid usernames:

      For example:
      1 Laa@... (<>)
      1 Leitnerkkiwh@... (<>)
      1 lemerand@... (<>)
      1 Linas@... (<>)
      1 Littleflower@... (<>)
      1 Lounekmmhvp@... (<>)
      1 isabelle.lundquist@... (<>)
      1 merloptlq@... (<>)
      1 Mikhail-Rowen@... (<>)
      1 Miu_Connolly@... (<>)
      1 Natorywa@... (<>)
      (tons and tons of these)

      ..I run 'pf' and configured it to track IPs and connection attempts
      and its working very well (starts to blackhole abusive IPs) but
      postfix still can run out of max processes and refuse legit requests.

      Other than using pf and the connection controls within postfix, is
      there anything else I could/should be doing or just ride this out?

      it has been all day so far...

      -JD
    • Wietse Venema
      ... Backscatter. Joe-job. http://www.postfix.org/BACKSCATTER_README.html. Wietse
      Message 2 of 20 , Jan 1, 2008
      • 0 Attachment
        JD Bronson:
        > I am looking for any advice on how to mitigate an attack.
        >
        > I appear to be under attack from IPs all over the world attempting
        > to send email to one of my domains with all invalid usernames:
        >
        > For example:
        > 1 Laa@... (<>)
        > 1 Leitnerkkiwh@... (<>)
        > 1 lemerand@... (<>)
        > 1 Linas@... (<>)
        > 1 Littleflower@... (<>)
        > 1 Lounekmmhvp@... (<>)
        > 1 isabelle.lundquist@... (<>)
        > 1 merloptlq@... (<>)
        > 1 Mikhail-Rowen@... (<>)
        > 1 Miu_Connolly@... (<>)
        > 1 Natorywa@... (<>)
        > (tons and tons of these)

        Backscatter. Joe-job.

        http://www.postfix.org/BACKSCATTER_README.html.

        Wietse
      • Matthias Schmidt
        ... I don t think so. imho it is a bot-net spam-attack. There s is just in the moment a discussion about this on the spamassassin list. The thread is called
        Message 3 of 20 , Jan 1, 2008
        • 0 Attachment
          Am/On Tue, 1 Jan 2008 17:31:29 -0500 schrieb/wrote Wietse Venema:

          >JD Bronson:
          >> I am looking for any advice on how to mitigate an attack.
          >>
          >> I appear to be under attack from IPs all over the world attempting
          >> to send email to one of my domains with all invalid usernames:
          >>
          >> For example:
          >> 1 Laa@... (<>)
          >> 1 Leitnerkkiwh@... (<>)
          >> 1 lemerand@... (<>)
          >> 1 Linas@... (<>)
          >> 1 Littleflower@... (<>)
          >> 1 Lounekmmhvp@... (<>)
          >> 1 isabelle.lundquist@... (<>)
          >> 1 merloptlq@... (<>)
          >> 1 Mikhail-Rowen@... (<>)
          >> 1 Miu_Connolly@... (<>)
          >> 1 Natorywa@... (<>)
          >> (tons and tons of these)
          >
          >Backscatter. Joe-job.

          I don't think so.
          imho it is a bot-net spam-attack.
          There's is just in the moment a discussion about this on the
          spamassassin list.
          The thread is called Re: DDOS, Dictionary Attack... not sure what it is...

          one solution is imho to require that an ip resolves, this already dropps
          more than 90% of such mails, the rest gets blocked by DNSBLs, like spamhaus.

          check the thread out, there are a couple of suggestions to solve the problem.

          Thanks and all the best

          Matthias
        • Terry Carmen
          ... Bots are pretty easy to kill. You can refuse to talk to them by matching their reverse DNS against a regular expression. This has also been a huge help.
          Message 4 of 20 , Jan 1, 2008
          • 0 Attachment

                        1   merloptlq@...  (<>)
                        1   Mikhail-Rowen@...  (<>)
                        1   Miu_Connolly@...  (<>)
                        1   Natorywa@...  (<>)
            (tons and tons of these)
                  
            Backscatter. Joe-job.
                
            I don't think so.
            imho it is a bot-net spam-attack.
              
            Bots are pretty easy to kill. You can refuse to talk to them by matching their reverse DNS against a regular expression.

            This has also been a huge help.

            There's just no reason to accept mail from a Dynamic IP or an IP with no reverse DNS, so blocking them cuts WAY down on bots. I can't take credit for the list. Most of it was written by someone else (sorry, don't remember who). I added the last handful of entries.

            Save the text below as spam_ip_regex, and add:

            check_client_access regexp:/etc/postfix/spam_ip_regex

            and

            reject_unknown_reverse_client_hostname

            to your smtpd_client_restrictions section.

            Postfix can handle a ton of traffic when all it has to do is reject. 8-)

            Terry



            ####################################################33
            /^dsl.*\..*\..*/i                           553 AUTO_DSL Email Rejected.
            /[ax]dsl.*\..*\..*/i                        553 AUTO_XDSL Email Rejected.
            /client.*\..*\..*/i                         553 AUTO_CLIENT Email Rejected.
            /cable.*\..*\..*/i                          553 AUTO_CABLE Email Rejected.
            /dial.*\..*\..*/i                           553 AUTO_DIAL Email Rejected.
            /.*dial[\-]*in.*/i                          553 AUTO_DIAL2 Email Rejected.
            /ppp.*\..*\..*/i                            553 AUTO_PPP Email Rejected.
            /dslam.*\..*\..*/i                          553 AUTO_DSLAM Email Rejected.
            /node.*\..*\..*/i                           553 AUTO_NODE Email Rejected.
            /.*dial-up.*/i                             553 AUTO_DIAL_UP_ID_PATTERN Email Rejected.
            /.*\.dhcp.*/i                             553 AUTO_DHCP_ID_PATTERN Email Rejected.
            /.*[0-9]+[\.-][0-9]+[\.-][0-9]+[\.-][0-9]+[\.-]+.*/i         553 AUTO_DYNAMIC_ID_PATTERN_DOT_DASH Email Rejected.
            /.*[0-9]+[\.-]net[\.-][0-9]+[\.-][0-9]+[\.-][0-9]+[\.-]+.*/i     553 AUTO_DYNAMIC_ID_PATTERN_DOT_DASH_NET Email Rejected.
            /.*[0-9]+-[0-9]+-[0-9]+-[0-9]+\..*/i                 553 AUTO_DYNAMIC_ID_PATTERN_DASHES Email Rejected.
            /.*internetdsl.tpnet.pl/i                     553 AUTO_PL_DSL_PATTERN Email Rejected.
            /.*\.cable.net.co\..*/i                      553 AUTO_CABLE_DOT_NET Email Rejected.
            /.*dynamic.*/i                             553 AUTO_DYNAMIC_PATTERN Email Rejected.
            /.*ppp.*/i                             553 AUTO_PPP_PATTERN Email Rejected.
            /.*user.*/i                             553 AUTO_USER_PATTERN Email Rejected.

          • Craig White
            ... appears to be the very same thing and yes, when your domain has been joe-jobbed, the backscatter can seem exactly like a denial of service attack requiring
            Message 5 of 20 , Jan 1, 2008
            • 0 Attachment
              On Wed, 2008-01-02 at 10:29 +0900, Matthias Schmidt wrote:
              > Am/On Tue, 1 Jan 2008 17:31:29 -0500 schrieb/wrote Wietse Venema:
              >
              > >JD Bronson:
              > >> I am looking for any advice on how to mitigate an attack.
              > >>
              > >> I appear to be under attack from IPs all over the world attempting
              > >> to send email to one of my domains with all invalid usernames:
              > >>
              > >> For example:
              > >> 1 Laa@... (<>)
              > >> 1 Leitnerkkiwh@... (<>)
              > >> 1 lemerand@... (<>)
              > >> 1 Linas@... (<>)
              > >> 1 Littleflower@... (<>)
              > >> 1 Lounekmmhvp@... (<>)
              > >> 1 isabelle.lundquist@... (<>)
              > >> 1 merloptlq@... (<>)
              > >> 1 Mikhail-Rowen@... (<>)
              > >> 1 Miu_Connolly@... (<>)
              > >> 1 Natorywa@... (<>)
              > >> (tons and tons of these)
              > >
              > >Backscatter. Joe-job.
              >
              > I don't think so.
              > imho it is a bot-net spam-attack.
              > There's is just in the moment a discussion about this on the
              > spamassassin list.
              > The thread is called Re: DDOS, Dictionary Attack... not sure what it is...
              >
              > one solution is imho to require that an ip resolves, this already dropps
              > more than 90% of such mails, the rest gets blocked by DNSBLs, like spamhaus.
              >
              > check the thread out, there are a couple of suggestions to solve the problem.
              ----
              appears to be the very same thing and yes, when your domain has been
              joe-jobbed, the backscatter can seem exactly like a denial of service
              attack

              requiring reverse dns is something I agree with but that doesn't stop
              backscatter in this situation at all - at least, not enough.

              Craig
            • Matthias Schmidt
              ... sorry, quite possible that it s backscatter as well ... I typed to quick :-o to what it is exactly, more information from the log would be needed. Thanks
              Message 6 of 20 , Jan 1, 2008
              • 0 Attachment
                Am/On Wed, 2 Jan 2008 10:29:16 +0900 schrieb/wrote Matthias Schmidt:

                >Am/On Tue, 1 Jan 2008 17:31:29 -0500 schrieb/wrote Wietse Venema:
                >
                >>JD Bronson:
                >>> I am looking for any advice on how to mitigate an attack.
                >>>
                >>> I appear to be under attack from IPs all over the world attempting
                >>> to send email to one of my domains with all invalid usernames:
                >>>
                >>> For example:
                >>> 1 Laa@... (<>)
                >>> 1 Leitnerkkiwh@... (<>)
                >>> 1 lemerand@... (<>)
                >>> 1 Linas@... (<>)
                >>> 1 Littleflower@... (<>)
                >>> 1 Lounekmmhvp@... (<>)
                >>> 1 isabelle.lundquist@... (<>)
                >>> 1 merloptlq@... (<>)
                >>> 1 Mikhail-Rowen@... (<>)
                >>> 1 Miu_Connolly@... (<>)
                >>> 1 Natorywa@... (<>)
                >>> (tons and tons of these)
                >>
                >>Backscatter. Joe-job.
                >
                >I don't think so.

                sorry, quite possible that it's backscatter as well ...
                I typed to quick :-o

                to what it is exactly, more information from the log would be needed.


                Thanks and all the best

                Matthias
              • Matthias Schmidt
                ... with these rules you might also reject legal eMails from servers running via dyndns, or? Thanks and all the best Matthias
                Message 7 of 20 , Jan 1, 2008
                • 0 Attachment
                  Am/On Tue, 1 Jan 2008 20:45:37 -0500 schrieb/wrote Terry Carmen:

                  >
                  >>>> 1 merloptlq@... (<>)
                  >>>> 1 Mikhail-Rowen@... (<>)
                  >>>> 1 Miu_Connolly@... (<>)
                  >>>> 1 Natorywa@... (<>)
                  >>>> (tons and tons of these)
                  >>>>
                  >>> Backscatter. Joe-job.
                  >>>
                  >>
                  >> I don't think so.
                  >> imho it is a bot-net spam-attack.
                  >>
                  >Bots are pretty easy to kill. You can refuse to talk to them by matching
                  >their reverse DNS against a regular expression.
                  >
                  >This has also been a huge help.
                  >
                  >There's just no reason to accept mail from a Dynamic IP or an IP with no
                  >reverse DNS, so blocking them cuts WAY down on bots. I can't take credit
                  >for the list. Most of it was written by someone else (sorry, don't
                  >remember who). I added the last handful of entries.
                  >
                  >Save the text below as spam_ip_regex, and add:
                  >
                  >check_client_access regexp:/etc/postfix/spam_ip_regex
                  >
                  >and
                  >
                  >reject_unknown_reverse_client_hostname
                  >
                  >to your smtpd_client_restrictions section.
                  >
                  >Postfix can handle a ton of traffic when all it has to do is reject. 8-)
                  >
                  >Terry
                  >
                  >
                  >
                  >####################################################33
                  >/^dsl.*\..*\..*/i 553 AUTO_DSL Email Rejected.
                  >/[ax]dsl.*\..*\..*/i 553 AUTO_XDSL Email Rejected.
                  >/client.*\..*\..*/i 553 AUTO_CLIENT Email Rejected.
                  >/cable.*\..*\..*/i 553 AUTO_CABLE Email Rejected.
                  >/dial.*\..*\..*/i 553 AUTO_DIAL Email Rejected.
                  >/.*dial[\-]*in.*/i 553 AUTO_DIAL2 Email Rejected.
                  >/ppp.*\..*\..*/i 553 AUTO_PPP Email Rejected.
                  >/dslam.*\..*\..*/i 553 AUTO_DSLAM Email Rejected.
                  >/node.*\..*\..*/i 553 AUTO_NODE Email Rejected.
                  >/.*dial-up.*/i 553 AUTO_DIAL_UP_ID_PATTERN
                  >Email Rejected.
                  >/.*\.dhcp.*/i 553 AUTO_DHCP_ID_PATTERN Email
                  >Rejected.
                  >/.*[0-9]+[\.-][0-9]+[\.-][0-9]+[\.-][0-9]+[\.-]+.*/i 553
                  >AUTO_DYNAMIC_ID_PATTERN_DOT_DASH Email Rejected.
                  >/.*[0-9]+[\.-]net[\.-][0-9]+[\.-][0-9]+[\.-][0-9]+[\.-]+.*/i 553
                  >AUTO_DYNAMIC_ID_PATTERN_DOT_DASH_NET Email Rejected.
                  >/.*[0-9]+-[0-9]+-[0-9]+-[0-9]+\..*/i 553
                  >AUTO_DYNAMIC_ID_PATTERN_DASHES Email Rejected.
                  >/.*internetdsl.tpnet.pl/i 553 AUTO_PL_DSL_PATTERN
                  >Email Rejected.
                  >/.*\.cable.net.co\..*/i 553 AUTO_CABLE_DOT_NET
                  >Email Rejected.
                  >/.*dynamic.*/i 553 AUTO_DYNAMIC_PATTERN
                  >Email Rejected.
                  >/.*ppp.*/i 553 AUTO_PPP_PATTERN Email Rejected.
                  >/.*user.*/i 553 AUTO_USER_PATTERN Email
                  >Rejected.
                  >


                  with these rules you might also reject legal eMails from servers running
                  via dyndns, or?

                  Thanks and all the best

                  Matthias
                • terry.gilsenan@interoil.com
                  ... Surely that would depend entirely on the recipients interpretation of legal eMails , eg: my server, my rules. I am of the opinion that people on
                  Message 8 of 20 , Jan 1, 2008
                  • 0 Attachment
                    Matthias Schmidt wrote:
                    > Am/On Tue, 1 Jan 2008 20:45:37 -0500 schrieb/wrote Terry Carmen:
                    >
                    >
                    >>>>> 1 merloptlq@... (<>)
                    >>>>> 1 Mikhail-Rowen@... (<>)
                    >>>>> 1 Miu_Connolly@... (<>)
                    >>>>> 1 Natorywa@... (<>)
                    >>>>> (tons and tons of these)
                    >>>>>
                    >>>>>
                    >>>> Backscatter. Joe-job.
                    >>>>
                    >>>>
                    >>> I don't think so.
                    >>> imho it is a bot-net spam-attack.
                    >>>
                    >>>
                    >> Bots are pretty easy to kill. You can refuse to talk to them by matching
                    >> their reverse DNS against a regular expression.
                    >>
                    >> This has also been a huge help.
                    >>
                    >> There's just no reason to accept mail from a Dynamic IP or an IP with no
                    >> reverse DNS, so blocking them cuts WAY down on bots. I can't take credit
                    >> for the list. Most of it was written by someone else (sorry, don't
                    >> remember who). I added the last handful of entries.
                    >>
                    >> Save the text below as spam_ip_regex, and add:
                    >>
                    >> check_client_access regexp:/etc/postfix/spam_ip_regex
                    >>
                    >> and
                    >>
                    >> reject_unknown_reverse_client_hostname
                    >>
                    >> to your smtpd_client_restrictions section.
                    >>
                    >> Postfix can handle a ton of traffic when all it has to do is reject. 8-)
                    >>
                    >> Terry
                    >>
                    >>
                    >>
                    >> ####################################################33
                    >> /^dsl.*\..*\..*/i 553 AUTO_DSL Email Rejected.
                    >> /[ax]dsl.*\..*\..*/i 553 AUTO_XDSL Email Rejected.
                    >> /client.*\..*\..*/i 553 AUTO_CLIENT Email Rejected.
                    >> /cable.*\..*\..*/i 553 AUTO_CABLE Email Rejected.
                    >> /dial.*\..*\..*/i 553 AUTO_DIAL Email Rejected.
                    >> /.*dial[\-]*in.*/i 553 AUTO_DIAL2 Email Rejected.
                    >> /ppp.*\..*\..*/i 553 AUTO_PPP Email Rejected.
                    >> /dslam.*\..*\..*/i 553 AUTO_DSLAM Email Rejected.
                    >> /node.*\..*\..*/i 553 AUTO_NODE Email Rejected.
                    >> /.*dial-up.*/i 553 AUTO_DIAL_UP_ID_PATTERN
                    >> Email Rejected.
                    >> /.*\.dhcp.*/i 553 AUTO_DHCP_ID_PATTERN Email
                    >> Rejected.
                    >> /.*[0-9]+[\.-][0-9]+[\.-][0-9]+[\.-][0-9]+[\.-]+.*/i 553
                    >> AUTO_DYNAMIC_ID_PATTERN_DOT_DASH Email Rejected.
                    >> /.*[0-9]+[\.-]net[\.-][0-9]+[\.-][0-9]+[\.-][0-9]+[\.-]+.*/i 553
                    >> AUTO_DYNAMIC_ID_PATTERN_DOT_DASH_NET Email Rejected.
                    >> /.*[0-9]+-[0-9]+-[0-9]+-[0-9]+\..*/i 553
                    >> AUTO_DYNAMIC_ID_PATTERN_DASHES Email Rejected.
                    >> /.*internetdsl.tpnet.pl/i 553 AUTO_PL_DSL_PATTERN
                    >> Email Rejected.
                    >> /.*\.cable.net.co\..*/i 553 AUTO_CABLE_DOT_NET
                    >> Email Rejected.
                    >> /.*dynamic.*/i 553 AUTO_DYNAMIC_PATTERN
                    >> Email Rejected.
                    >> /.*ppp.*/i 553 AUTO_PPP_PATTERN Email Rejected.
                    >> /.*user.*/i 553 AUTO_USER_PATTERN Email
                    >> Rejected.
                    >>
                    >>
                    >
                    >
                    > with these rules you might also reject legal eMails from servers running
                    > via dyndns, or?
                    >
                    <snip>

                    Surely that would depend entirely on the recipients interpretation of
                    "legal eMails", eg: my server, my rules.

                    I am of the opinion that people on dynamic connections should ether be
                    relaying emails via their ISP's SmartHost, or connecting to the
                    submission port and authenticating (method not discussed here). Its one
                    or the other.

                    Regards,
                    T
                  • vg_us@hotmail.com
                    ... From: Cc: Sent: Tuesday, January 01, 2008 9:08 PM Subject: Re: being mailbombed..or something ...
                    Message 9 of 20 , Jan 1, 2008
                    • 0 Attachment
                      ----- Original Message -----
                      From: <terry.gilsenan@...>
                      Cc: <postfix-users@...>
                      Sent: Tuesday, January 01, 2008 9:08 PM
                      Subject: Re: being mailbombed..or something


                      > Matthias Schmidt wrote:
                      >> Am/On Tue, 1 Jan 2008 20:45:37 -0500 schrieb/wrote Terry Carmen:
                      >>
                      >>
                      >>>>>> 1 merloptlq@... (<>)
                      >>>>>> 1 Mikhail-Rowen@... (<>)
                      >>>>>> 1 Miu_Connolly@... (<>)
                      >>>>>> 1 Natorywa@... (<>)
                      >>>>>> (tons and tons of these)
                      >>>>>>
                      >>>>> Backscatter. Joe-job.
                      >>>>>
                      >>>> I don't think so.
                      >>>> imho it is a bot-net spam-attack.
                      >>>>
                      >>> Bots are pretty easy to kill. You can refuse to talk to them by matching
                      >>> their reverse DNS against a regular expression.
                      >>>
                      >>> This has also been a huge help.
                      >>>
                      >>> There's just no reason to accept mail from a Dynamic IP or an IP with no
                      >>> reverse DNS, so blocking them cuts WAY down on bots. I can't take credit
                      >>> for the list. Most of it was written by someone else (sorry, don't
                      >>> remember who). I added the last handful of entries.
                      >>>
                      >>> Save the text below as spam_ip_regex, and add:
                      >>>
                      >>> check_client_access regexp:/etc/postfix/spam_ip_regex
                      >>>
                      >>> and
                      >>>
                      >>> reject_unknown_reverse_client_hostname
                      >>>
                      >>> to your smtpd_client_restrictions section.
                      >>>
                      >>> Postfix can handle a ton of traffic when all it has to do is reject. 8-)
                      >>>
                      >>> Terry
                      >>>
                      >>>
                      >>>
                      >>> ####################################################33
                      >>> /^dsl.*\..*\..*/i 553 AUTO_DSL Email Rejected.
                      >>> /[ax]dsl.*\..*\..*/i 553 AUTO_XDSL Email
                      >>> Rejected.
                      >>> /client.*\..*\..*/i 553 AUTO_CLIENT Email
                      >>> Rejected.
                      >>> /cable.*\..*\..*/i 553 AUTO_CABLE Email
                      >>> Rejected.
                      >>> /dial.*\..*\..*/i 553 AUTO_DIAL Email
                      >>> Rejected.
                      >>> /.*dial[\-]*in.*/i 553 AUTO_DIAL2 Email
                      >>> Rejected.
                      >>> /ppp.*\..*\..*/i 553 AUTO_PPP Email Rejected.
                      >>> /dslam.*\..*\..*/i 553 AUTO_DSLAM Email
                      >>> Rejected.
                      >>> /node.*\..*\..*/i 553 AUTO_NODE Email
                      >>> Rejected.
                      >>> /.*dial-up.*/i 553 AUTO_DIAL_UP_ID_PATTERN
                      >>> Email Rejected.
                      >>> /.*\.dhcp.*/i 553 AUTO_DHCP_ID_PATTERN Email
                      >>> Rejected.
                      >>> /.*[0-9]+[\.-][0-9]+[\.-][0-9]+[\.-][0-9]+[\.-]+.*/i 553
                      >>> AUTO_DYNAMIC_ID_PATTERN_DOT_DASH Email Rejected.
                      >>> /.*[0-9]+[\.-]net[\.-][0-9]+[\.-][0-9]+[\.-][0-9]+[\.-]+.*/i 553
                      >>> AUTO_DYNAMIC_ID_PATTERN_DOT_DASH_NET Email Rejected.
                      >>> /.*[0-9]+-[0-9]+-[0-9]+-[0-9]+\..*/i 553
                      >>> AUTO_DYNAMIC_ID_PATTERN_DASHES Email Rejected.
                      >>> /.*internetdsl.tpnet.pl/i 553 AUTO_PL_DSL_PATTERN
                      >>> Email Rejected.
                      >>> /.*\.cable.net.co\..*/i 553 AUTO_CABLE_DOT_NET
                      >>> Email Rejected.
                      >>> /.*dynamic.*/i 553 AUTO_DYNAMIC_PATTERN
                      >>> Email Rejected.
                      >>> /.*ppp.*/i 553 AUTO_PPP_PATTERN Email
                      >>> Rejected.
                      >>> /.*user.*/i 553 AUTO_USER_PATTERN Email
                      >>> Rejected.
                      >>>
                      >>>
                      >>
                      >>
                      >> with these rules you might also reject legal eMails from servers running
                      >> via dyndns, or?
                      >>
                      > <snip>
                      >
                      > Surely that would depend entirely on the recipients interpretation of
                      > "legal eMails", eg: my server, my rules.
                      >
                      > I am of the opinion that people on dynamic connections should ether be
                      > relaying emails via their ISP's SmartHost, or connecting to the submission
                      > port and authenticating (method not discussed here). Its one or the other.
                      >
                      > Regards,
                      > T
                      >

                      your server, your rules? say "hi" to aol and hotmail, my friend.

                      vadim
                    • terry.gilsenan@interoil.com
                      ... * * If I want to send email to aol or hotmail, then I need to play by their rules, if they want to send email to me, then they will play by my rules.
                      Message 10 of 20 , Jan 1, 2008
                      • 0 Attachment
                        vg_us@... wrote:
                        >
                        > ----- Original Message ----- From: <terry.gilsenan@...>
                        > Cc: <postfix-users@...>
                        > Sent: Tuesday, January 01, 2008 9:08 PM
                        > Subject: Re: being mailbombed..or something
                        >
                        >
                        >> Matthias Schmidt wrote:
                        >>> Am/On Tue, 1 Jan 2008 20:45:37 -0500 schrieb/wrote Terry Carmen:
                        >>>
                        >>>
                        >>>>>>> 1 merloptlq@... (<>)
                        >>>>>>> 1 Mikhail-Rowen@... (<>)
                        >>>>>>> 1 Miu_Connolly@... (<>)
                        >>>>>>> 1 Natorywa@... (<>)
                        >>>>>>> (tons and tons of these)
                        >>>>>>>
                        >>>>>> Backscatter. Joe-job.
                        >>>>>>
                        >>>>> I don't think so.
                        >>>>> imho it is a bot-net spam-attack.
                        >>>>>
                        >>>> Bots are pretty easy to kill. You can refuse to talk to them by
                        >>>> matching their reverse DNS against a regular expression.
                        >>>>
                        >>>> This has also been a huge help.
                        >>>>
                        >>>> There's just no reason to accept mail from a Dynamic IP or an IP
                        >>>> with no reverse DNS, so blocking them cuts WAY down on bots. I
                        >>>> can't take credit for the list. Most of it was written by someone
                        >>>> else (sorry, don't remember who). I added the last handful of entries.
                        >>>>
                        >>>> Save the text below as spam_ip_regex, and add:
                        >>>>
                        >>>> check_client_access regexp:/etc/postfix/spam_ip_regex
                        >>>>
                        >>>> and
                        >>>>
                        >>>> reject_unknown_reverse_client_hostname
                        >>>>
                        >>>> to your smtpd_client_restrictions section.
                        >>>>
                        >>>> Postfix can handle a ton of traffic when all it has to do is
                        >>>> reject. 8-)
                        >>>>
                        >>>> Terry
                        >>>>
                        >>>>
                        >>>>
                        >>>> ####################################################33
                        >>>> /^dsl.*\..*\..*/i 553 AUTO_DSL Email
                        >>>> Rejected.
                        >>>> /[ax]dsl.*\..*\..*/i 553 AUTO_XDSL Email
                        >>>> Rejected.
                        >>>> /client.*\..*\..*/i 553 AUTO_CLIENT Email
                        >>>> Rejected.
                        >>>> /cable.*\..*\..*/i 553 AUTO_CABLE Email
                        >>>> Rejected.
                        >>>> /dial.*\..*\..*/i 553 AUTO_DIAL Email
                        >>>> Rejected.
                        >>>> /.*dial[\-]*in.*/i 553 AUTO_DIAL2 Email
                        >>>> Rejected.
                        >>>> /ppp.*\..*\..*/i 553 AUTO_PPP Email
                        >>>> Rejected.
                        >>>> /dslam.*\..*\..*/i 553 AUTO_DSLAM Email
                        >>>> Rejected.
                        >>>> /node.*\..*\..*/i 553 AUTO_NODE Email
                        >>>> Rejected.
                        >>>> /.*dial-up.*/i 553
                        >>>> AUTO_DIAL_UP_ID_PATTERN Email Rejected.
                        >>>> /.*\.dhcp.*/i 553 AUTO_DHCP_ID_PATTERN
                        >>>> Email Rejected.
                        >>>> /.*[0-9]+[\.-][0-9]+[\.-][0-9]+[\.-][0-9]+[\.-]+.*/i 553
                        >>>> AUTO_DYNAMIC_ID_PATTERN_DOT_DASH Email Rejected.
                        >>>> /.*[0-9]+[\.-]net[\.-][0-9]+[\.-][0-9]+[\.-][0-9]+[\.-]+.*/i
                        >>>> 553 AUTO_DYNAMIC_ID_PATTERN_DOT_DASH_NET Email Rejected.
                        >>>> /.*[0-9]+-[0-9]+-[0-9]+-[0-9]+\..*/i 553
                        >>>> AUTO_DYNAMIC_ID_PATTERN_DASHES Email Rejected.
                        >>>> /.*internetdsl.tpnet.pl/i 553
                        >>>> AUTO_PL_DSL_PATTERN Email Rejected.
                        >>>> /.*\.cable.net.co\..*/i 553 AUTO_CABLE_DOT_NET
                        >>>> Email Rejected.
                        >>>> /.*dynamic.*/i 553 AUTO_DYNAMIC_PATTERN
                        >>>> Email Rejected.
                        >>>> /.*ppp.*/i 553 AUTO_PPP_PATTERN Email
                        >>>> Rejected.
                        >>>> /.*user.*/i 553 AUTO_USER_PATTERN Email
                        >>>> Rejected.
                        >>>>
                        >>>>
                        >>>
                        >>>
                        >>> with these rules you might also reject legal eMails from servers
                        >>> running
                        >>> via dyndns, or?
                        >>>
                        >> <snip>
                        >>
                        >> Surely that would depend entirely on the recipients interpretation of
                        >> "legal eMails", eg: my server, my rules.
                        >>
                        >> I am of the opinion that people on dynamic connections should ether
                        >> be relaying emails via their ISP's SmartHost, or connecting to the
                        >> submission port and authenticating (method not discussed here). Its
                        >> one or the other.
                        >>
                        >> Regards,
                        >> T
                        >>
                        >
                        > your server, your rules? say "hi" to aol and hotmail, my friend.
                        *<blink>*

                        If I want to send email to aol or hotmail, then I need to play by their
                        rules, if they want to send email to me, then they will play by my
                        rules. My MX currently accepts about 500k legit emails / day, and
                        rejects several million connection/delivery attempts / day using various
                        rules, and DNSBL's etc.

                        My users appreciate having _useful_ email, and many of the users have
                        never yet rec'd a single spam. I am somewhat draconian, and the users
                        know that I am approachable if they suspect a false positive, and on
                        several occasions I have added temporary manual white-listing, whils at
                        the same time assisting to educate the sender (or their ISP) in getting
                        their MTA "fixed"

                        So I say again, my server, my rules.

                        Regards,
                        T
                      • Wietse Venema
                        Matthias Schmidt: [ Charset ISO-8859-1 unsupported, converting... ] ... Lots of mail from is backscatter. Wietse
                        Message 11 of 20 , Jan 1, 2008
                        • 0 Attachment
                          Matthias Schmidt:
                          [ Charset ISO-8859-1 unsupported, converting... ]
                          > Am/On Tue, 1 Jan 2008 17:31:29 -0500 schrieb/wrote Wietse Venema:
                          >
                          > >JD Bronson:
                          > >> I am looking for any advice on how to mitigate an attack.
                          > >>
                          > >> I appear to be under attack from IPs all over the world attempting
                          > >> to send email to one of my domains with all invalid usernames:
                          > >>
                          > >> For example:
                          > >> 1 Laa@... (<>)
                          > >> 1 Leitnerkkiwh@... (<>)
                          > >> 1 lemerand@... (<>)
                          > >> 1 Linas@... (<>)
                          > >> 1 Littleflower@... (<>)
                          > >> 1 Lounekmmhvp@... (<>)
                          > >> 1 isabelle.lundquist@... (<>)
                          > >> 1 merloptlq@... (<>)
                          > >> 1 Mikhail-Rowen@... (<>)
                          > >> 1 Miu_Connolly@... (<>)
                          > >> 1 Natorywa@... (<>)
                          > >> (tons and tons of these)
                          > >
                          > >Backscatter. Joe-job.
                          >
                          > I don't think so.
                          > imho it is a bot-net spam-attack.

                          Lots of mail from <> is backscatter.

                          Wietse
                        • Terry Carmen
                          ... Dyndns never enters into it. It s looking up the *reverse* DNS, which would return the ISP s DN, not the home user. In any case, I m more than willing to
                          Message 12 of 20 , Jan 1, 2008
                          • 0 Attachment
                            Matthias Schmidt wrote:
                            >> Bots are pretty easy to kill. You can refuse to talk to them by matching
                            >> their reverse DNS against a regular expression.
                            >>
                            >> This has also been a huge help.
                            >>
                            > with these rules you might also reject legal eMails from servers running
                            > via dyndns, or?
                            >
                            Dyndns never enters into it. It's looking up the *reverse* DNS, which
                            would return the ISP's DN, not the home user.

                            In any case, I'm more than willing to take a chance on temporarily
                            rejecting a few legitimate emails from dynamic IPs in exchange for
                            eliminating millions of zombie spams.

                            If you look at the regexp, you'll note that it contains a reject
                            message, which in the case of the companies I manage mail servers for,
                            includes a contact phone number for the IT department, so they can be
                            white-listed. They generally average maybe a couple of calls a week for
                            whitelisting, in contrast to millions of rejects.

                            Businesses are more than happy to make that trade-off, especially since
                            it lowers their risk of infection, spam and scams.

                            Dynamic users should be routing their mail through their ISPs mail
                            servers. If they don't want to, that's fine, but I don't have to talk to
                            them.

                            Terry
                          • Kevin Stevens
                            ... Well - no. You can certainly decide to accept or reject whatever mail you want by whatever rules you define, but legality, in this context, means RFC
                            Message 13 of 20 , Jan 1, 2008
                            • 0 Attachment
                              On Jan 1, 2008, at 18:08, terry.gilsenan@... wrote:

                              > Matthias Schmidt wrote:
                              >> Am/On Tue, 1 Jan 2008 20:45:37 -0500 schrieb/wrote Terry Carmen:
                              >>
                              >> with these rules you might also reject legal eMails from servers
                              >> running
                              >> via dyndns, or?
                              >>
                              > <snip>
                              >
                              > Surely that would depend entirely on the recipients interpretation
                              > of "legal eMails", eg: my server, my rules.
                              >
                              > I am of the opinion that people on dynamic connections should ether
                              > be relaying emails via their ISP's SmartHost, or connecting to the
                              > submission port and authenticating (method not discussed here). Its
                              > one or the other.
                              >
                              > Regards,
                              > T

                              Well - no.

                              You can certainly decide to accept or reject whatever mail you want by
                              whatever rules you define, but legality, in this context, means RFC
                              compliant. As someone who runs a compliant mailserver, on a business
                              DSL IP (static), I get a lot of blocks from over-enthusiastic
                              blacklists.

                              KeS
                            • terry.gilsenan@interoil.com
                              ... It is Legal according to the RCF s for an MX server to reject any email for any reason at all, so long as the appropriate reply is made by the server to
                              Message 14 of 20 , Jan 1, 2008
                              • 0 Attachment
                                Kevin Stevens wrote:
                                >
                                > On Jan 1, 2008, at 18:08, terry.gilsenan@... wrote:
                                >
                                >> Matthias Schmidt wrote:
                                >>> Am/On Tue, 1 Jan 2008 20:45:37 -0500 schrieb/wrote Terry Carmen:
                                >>>
                                >>> with these rules you might also reject legal eMails from servers
                                >>> running
                                >>> via dyndns, or?
                                >>>
                                >> <snip>
                                >>
                                >> Surely that would depend entirely on the recipients interpretation of
                                >> "legal eMails", eg: my server, my rules.
                                >>
                                >> I am of the opinion that people on dynamic connections should ether
                                >> be relaying emails via their ISP's SmartHost, or connecting to the
                                >> submission port and authenticating (method not discussed here). Its
                                >> one or the other.
                                >>
                                >> Regards,
                                >> T
                                >
                                > Well - no.
                                >
                                > You can certainly decide to accept or reject whatever mail you want by
                                > whatever rules you define, but legality, in this context, means RFC
                                > compliant. As someone who runs a compliant mailserver, on a business
                                > DSL IP (static), I get a lot of blocks from over-enthusiastic blacklists.
                                >
                                > KeS
                                >
                                It is "Legal" according to the RCF's for an MX server to reject any
                                email for any reason at all, so long as the appropriate reply is made by
                                the server to the client. For example the Server could be configured to
                                reject all email from IP addresses that have a odd number in it, or
                                reject on all email addresses from a .com domain, or even all emails
                                that have any X- headers inserted, or perhaps all email from email
                                addresses with female gender inflected names in either domain or email
                                address. It is legal so long as the server replies to the attempted
                                transmission from the client with an appropriate response.

                                Using a blacklist is entirely legal as per RFC's, so long as the email
                                is rejected _DURING_ the SMTP transaction, any time before issuing a 200
                                OK for the email data.

                                Even rejecting entire netblocks based on Country is legal according to
                                RFC's provided the appropriate response is given to the client by the
                                server _during_ the SMTP transaction.

                                The only overarching requirement is that abuse@ and postmaster@ are able
                                to rec'v email from everywhere.

                                Your server on the other hand, may be RCF compliant, however that is
                                irrelevant if the MTA to which you are trying to deliver email is
                                rejecting dynamic IP's. people can be as enthusiastic as the wish with
                                their blocklist usage, after all, it is their bandwidth that they are
                                saving. Many people in this world have to pay for each and every
                                megabyte that they use, and is they want to restrict emails to a 0/8
                                blocklist and a small whitelist, with a 50kb message size limit, then
                                that is entirely their call.

                                If you get your email blocked by servers configured to block email from
                                DSL links, then that is the recipients choice, you can ask them to
                                whitelist, or you can contact your ISP and use their SmartHost perhaps
                                (if they have one for their clients use that is).

                                Regards,
                                T
                              • terry.gilsenan@interoil.com
                                ... Bingo!
                                Message 15 of 20 , Jan 1, 2008
                                • 0 Attachment
                                  Terry Carmen wrote:
                                  > Matthias Schmidt wrote:
                                  >>> Bots are pretty easy to kill. You can refuse to talk to them by
                                  >>> matching their reverse DNS against a regular expression.
                                  >>>
                                  >>> This has also been a huge help.
                                  >>>
                                  >> with these rules you might also reject legal eMails from servers running
                                  >> via dyndns, or?
                                  >>
                                  > Dyndns never enters into it. It's looking up the *reverse* DNS, which
                                  > would return the ISP's DN, not the home user.
                                  >
                                  > In any case, I'm more than willing to take a chance on temporarily
                                  > rejecting a few legitimate emails from dynamic IPs in exchange for
                                  > eliminating millions of zombie spams.
                                  >
                                  > If you look at the regexp, you'll note that it contains a reject
                                  > message, which in the case of the companies I manage mail servers for,
                                  > includes a contact phone number for the IT department, so they can be
                                  > white-listed. They generally average maybe a couple of calls a week
                                  > for whitelisting, in contrast to millions of rejects.
                                  >
                                  > Businesses are more than happy to make that trade-off, especially
                                  > since it lowers their risk of infection, spam and scams.
                                  >
                                  > Dynamic users should be routing their mail through their ISPs mail
                                  > servers. If they don't want to, that's fine, but I don't have to talk
                                  > to them.
                                  >
                                  > Terry
                                  >
                                  Bingo!
                                  >
                                  >
                                  >
                                  >
                                  >
                                • JD Bronson
                                  ... Thanks for all of the discussion guys. I already block dynamic IPs with pcre but have a client_checks just before that for whitelisting. I do get a false
                                  Message 16 of 20 , Jan 2, 2008
                                  • 0 Attachment
                                    At 02:44 PM 01/02/2008 +1000, terry.gilsenan@... wrote:
                                    >>Dynamic users should be routing their mail through their ISPs mail
                                    >>servers. If they don't want to, that's fine, but I don't have to talk to them.

                                    Thanks for all of the discussion guys.

                                    I already block dynamic IPs with pcre but have a client_checks just
                                    before that for whitelisting.

                                    I do get a false positive from time to time, but my error message
                                    states to use your ISP:

                                    "550 Connecting IP appears dynamic - Use ISP to relay email"

                                    Smart people should figure that out. If not, oh well :-)

                                    So far, using pf has helped me the most. It watches the number of
                                    concurrent sessions and the number of sessions within a given amount
                                    of time and then blacklists/blackholes the IP until midnight. I am
                                    then emailed a list of the offending IPs and then the IPs are flushed
                                    out of the table.

                                    At least this way, if it is a legit IP, it will have a chance again.
                                    If not, it will be blacklisted again as well.

                                    I do have overrides within pf for certain sites that we receive a
                                    large quantity of email from in a short time.

                                    -JD
                                  • Leonardo Rodrigues Magalhães
                                    ... I think this discussion on mail servers running on DSL/Cable static IP connections are far beyond from RFC scope discussions. Those people, who chooses to
                                    Message 17 of 20 , Jan 2, 2008
                                    • 0 Attachment
                                      Kevin Stevens escreveu:
                                      >
                                      > On Jan 1, 2008, at 18:08, terry.gilsenan@... wrote:
                                      >
                                      >> Matthias Schmidt wrote:
                                      >>> Am/On Tue, 1 Jan 2008 20:45:37 -0500 schrieb/wrote Terry Carmen:
                                      >>>
                                      >>> with these rules you might also reject legal eMails from servers
                                      >>> running
                                      >>> via dyndns, or?
                                      >>>
                                      >>
                                      >> Surely that would depend entirely on the recipients interpretation of
                                      >> "legal eMails", eg: my server, my rules.
                                      >>
                                      >> I am of the opinion that people on dynamic connections should ether
                                      >> be relaying emails via their ISP's SmartHost, or connecting to the
                                      >> submission port and authenticating (method not discussed here). Its
                                      >> one or the other.
                                      >>
                                      >
                                      > Well - no.
                                      >
                                      > You can certainly decide to accept or reject whatever mail you want by
                                      > whatever rules you define, but legality, in this context, means RFC
                                      > compliant. As someone who runs a compliant mailserver, on a business
                                      > DSL IP (static), I get a lot of blocks from over-enthusiastic blacklists.
                                      >

                                      I think this discussion on mail servers running on DSL/Cable static
                                      IP connections are far beyond from RFC scope discussions.

                                      Those people, who chooses to run their mailserver on DSL/cable
                                      connections and NOT relay on their ISPs are already having bad times
                                      when sending mail to big ISPs and big companies.

                                      Even it's 'OK' on RFC scope, this is not OK on the real world
                                      anymore. The real world seems to be completly happy with some
                                      false-positive rejections when these dynamic-ip rules do block MILLIONS
                                      of bad messages.

                                      I had some mailservers running on static IP DSL lines here in Brazil
                                      and tried, for some time, to avoid upstreaming the messages to the ISPs.
                                      But .... for more than a year now, i realized that that was a lost war.
                                      And i started upstreaming messages to ISPs. Received messages comes
                                      directly to my static IP DSL lines, but outgoing messages goes to the
                                      ISP mailservers.


                                      --


                                      Atenciosamente / Sincerily,
                                      Leonardo Rodrigues
                                      Solutti Tecnologia
                                      http://www.solutti.com.br

                                      Minha armadilha de SPAM, NÃO mandem email
                                      gertrudes@...
                                      My SPAMTRAP, do not email it
                                    • mouss
                                      ... unfortunately, it s not that easy. rejecting them still consumes resources. when your smtpd is rejecting zombies, it s busy doing that. And if there are
                                      Message 18 of 20 , Jan 2, 2008
                                      • 0 Attachment
                                        Terry Carmen wrote:
                                        >
                                        > Bots are pretty easy to kill. You can refuse to talk to them by matching
                                        > their reverse DNS against a regular expression.
                                        >

                                        unfortunately, it's not that easy. rejecting them still consumes
                                        resources. when your smtpd is rejecting zombies, it's busy doing that.
                                        And if there are too many zombies sending you traffic, then that will
                                        kill your connectivity, even if you firewall traffic at the IP level.

                                        all you can do is reduce their effects.

                                        > This has also been a huge help.
                                        >
                                        > There's just no reason to accept mail from a Dynamic IP

                                        The problem is how to detect that it is a dynamic IP. regular
                                        expressions have both False Negatives (there is no registery of every
                                        possible format) and False Positives, like this:

                                        ... connect from DD.CC-AA-BB.ripe.coltfrance.com[AA.BB.CC.DD]

                                        This is from a colo host, which is not dynamic at all.

                                        an alternative is to reject mail from clients with generic rDNS (because
                                        "they did not do efforts to have a meaningful rDNS"). This reduces the
                                        false positives (by changing the goal, not by blocking different people!).


                                        > or an IP with no reverse DNS,

                                        Be warned that in the case of DNS failures (which may be on your side),
                                        you'll delay legitimate mail.


                                        > [snip]
                                      • Robert Schetterer
                                        ... why not use fail2ban, works here like charme here -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
                                        Message 19 of 20 , Jan 2, 2008
                                        • 0 Attachment
                                          mouss schrieb:
                                          > Terry Carmen wrote:
                                          >>
                                          >> Bots are pretty easy to kill. You can refuse to talk to them by
                                          >> matching their reverse DNS against a regular expression.
                                          >>
                                          >
                                          > unfortunately, it's not that easy. rejecting them still consumes
                                          > resources. when your smtpd is rejecting zombies, it's busy doing that.
                                          > And if there are too many zombies sending you traffic, then that will
                                          > kill your connectivity, even if you firewall traffic at the IP level.
                                          >
                                          > all you can do is reduce their effects.
                                          >
                                          >> This has also been a huge help.
                                          >>
                                          >> There's just no reason to accept mail from a Dynamic IP
                                          >
                                          > The problem is how to detect that it is a dynamic IP. regular
                                          > expressions have both False Negatives (there is no registery of every
                                          > possible format) and False Positives, like this:
                                          >
                                          > ... connect from DD.CC-AA-BB.ripe.coltfrance.com[AA.BB.CC.DD]
                                          >
                                          > This is from a colo host, which is not dynamic at all.
                                          >
                                          > an alternative is to reject mail from clients with generic rDNS (because
                                          > "they did not do efforts to have a meaningful rDNS"). This reduces the
                                          > false positives (by changing the goal, not by blocking different people!).
                                          >
                                          >
                                          >> or an IP with no reverse DNS,
                                          >
                                          > Be warned that in the case of DNS failures (which may be on your side),
                                          > you'll delay legitimate mail.
                                          >
                                          >
                                          >> [snip]

                                          why not use fail2ban, works here like charme
                                          here

                                          --
                                          Best Regards

                                          MfG Robert Schetterer

                                          Germany/Munich/Bavaria
                                        • Terry Carmen
                                          ... I can live with that. As long as the protocol remains RFC compliant and the sender gets a meaningful reject or delay message, it s a manageable (and not
                                          Message 20 of 20 , Jan 2, 2008
                                          • 0 Attachment
                                            mouss wrote:
                                            >> or an IP with no reverse DNS,
                                            >
                                            > Be warned that in the case of DNS failures (which may be on your
                                            > side), you'll delay legitimate mail.
                                            I can live with that. As long as the protocol remains RFC compliant and
                                            the sender gets a meaningful reject or delay message, it's a manageable
                                            (and not very significant) problem.

                                            Terry
                                          Your message has been successfully submitted and would be delivered to recipients shortly.