Prev-20 Home Next-20 4 msg Rewriting To: field for outbound messages 13 msg My server send e-mails that are considered SPAM 6 msg Web Based Front End - Update 2 msg mailman subdomain not recognized by some mail s... 14 msg Trying to feed an script with an email 5 msg Q: smtpd_recipient_restrictions w/reject_unlist... 2 msg Question about recipient canonical rewrite and ... 3 msg QQ regarding server performance impact when doi... 1 msg Re: qshape and greylisting 4 msg Address Verification Question Distributed mailbombing on one address \ Frank Bonnet (28 Mar 2008) . \ Terry Carmen (28 Mar 2008) . . \ Terry Carmen (28 Mar 2008) . \ Jorey Bump (28 Mar 2008) . . \ Frank Bonnet (28 Mar 2008) . . . \ mouss (28 Mar 2008) . . . . \ Kelvin Smith (28 Mar 2008) . \ (Wietse Venema) (28 Mar 2008) 2 msg Trouble with postmaster alias 5 msg Parent domains confusion? 2 msg Anti-virus scanning with Postfix & Mac OS X 2 msg Folder Structure help 8 msg qmgr_active_corrupt 3 msg retiring a mail server 2 msg SMTP verification 9 msg Multiple IPs 2 msg Controlling out going messages Prev-20 Home Next-20

Prev-Msg Prev-Thread Postfix-users Mar-2008 Next-Thread Next-Msg Subject: Re: Distributed mailbombing on one address Group: Postfix-users From: Kelvin Smith Date: 28 Mar 2008 I have just had similar experience. This caused denial of service. I ended up blocking the user so they would get 5.1.1 for any mail to the user. Rejected 564000 messages in one week with no sign of slowing down. Mailbomb came from all over the net and now way I could get it to stop. Even though I was stopping after RCPT TO: header through checks, I still couldn't get rid of the traffic. This was accounting upwards of around 2GB of traffic a day and lots of unhappy users as server busy attending to rejecting mail, not performing its normal function. In the end, we offloaded our MX record to a mail washing host and now they take care of the problem for us. Our services have now returned to normal! Kelvin On Fri, 2008-03-28 at 20:20 +0100, mouss wrote: > Frank Bonnet wrote: > > Jorey Bump wrote: > >> Frank Bonnet wrote, at 03/28/2008 10:17 AM: > >> > >>> The mailbox of a user here is literally mailbombed ( ~ 4 mails / > >>> seconds ) > >>> I have checked into email syslog and it appears the attack seems > >>> distrinuted > >>> and comes from dozens of randoms servers ... > >>> > >>> I have setup a new account for the user but the attack still continues. > >>> > >>> For now I have aliased the attacked address to /dev/null but I wonder > >>> what would be the most efficient (which generate the smalest load of > >>> the server) > >>> method to refuse/discard emails for this address ? > >> > >> This could be backscatter: > >> > >> http://www.postfix.org/BACKSCATTER_README.html > >> > > > > Thank you for this link > > > > I think the problem would be elsewhere I've found a *lot* of references > > to the qmail-send program in syslog from a growing number of servers. > > > > I have now modified the alias and redirect all emails to this address > > on another isolated machine to analyse the log without disturbing our > > mailhub. > > > > let's see where doee it come from > > There's nothing to see. block the address at smtp time, as Wietse > suggested. the logs will contain enough information, so there is no need > to accept the messages. > > > -- Kelvin Smith <kelvins> Prev-Msg Prev-Thread Postfix-users Mar-2008 Next-Thread Next-Msg

© 2004-2008 readlist.com