Hi folks,
We are currently experiencing a heavy load on all our smtp inbound servers since saturday.
It is due to bounces coming from everywhere. Spamers using fake email addresses from domains for which we are the MX.
The amount of such emails (which we almost all reject, user unknown, etc.. because of the fake email addresses) is enormous compared to normal traffic (like 10 times what we have in general).
Do any of you experience the same problem ?
Many of those bounces aren't real bounces, but spam messages with virus attachments.
we use Policyd (http://policyd.sourceforge.net/) with Postfix in front of the main mailserver (Plesk), and it offloads it significantly. Also the amount of spam has reduced dramatically.
We use also Policyd for rate throttling of broadband users, in order to limit their ability to send out spam through our server.
regards, stan
--- Rene Luria operator@infomaniak.ch wrote:
Hi folks,
We are currently experiencing a heavy load on all our smtp inbound servers since saturday.
It is due to bounces coming from everywhere. Spamers using fake email addresses from domains for which we are the MX.
The amount of such emails (which we almost all reject, user unknown, etc.. because of the fake email addresses) is enormous compared to normal traffic (like 10 times what we have in general).
Do any of you experience the same problem ?
-- Rene Luria _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
On Mon, Nov 27, 2006 at 05:58:03PM +0100, Rene Luria wrote:
The amount of such emails (which we almost all reject, user unknown, etc.. because of the fake email addresses) is enormous compared to normal traffic (like 10 times what we have in general).
Do any of you experience the same problem ?
Yes, one of our client's domains got similarly pounded last week and back in October.
The problem was made worse by the fact that we had left the response code for a reject due to unknown recipient as 4xx, so naturally one of these emails resulted in many connection attempts if they came from a real mail server (as opposed to a zombie). At one point we were up to 500 connections per minute. The solution (in our case) was to set the response code to 5xx and accept the risk that mail will be rejected if the backend LDAP containing the mailbox names goes offline.
Things are much calmer now but the vast majority of the SMTP connection attempts are still for bogus usernames in this one domain.
Hi
The problem was made worse by the fact that we had left the response code for a reject due to unknown recipient as 4xx, so naturally one of these emails resulted in many connection attempts if they came from a real mail server (as opposed to a zombie). At one point we were up to 500 connections per minute. The solution (in our case) was to set the response code to 5xx and accept the risk that mail will be rejected if the backend LDAP containing the mailbox names goes offline.
What's really funny is when you set the MX of the domain to 127.0.0.1, so the mails bounce back to the postmaster of the offending server(s).
Daniel
On Mon, 2006-11-27 at 17:58 +0100, Rene Luria wrote:
It is due to bounces coming from everywhere. Spamers using fake email addresses from domains for which we are the MX.
The amount of such emails (which we almost all reject, user unknown, etc.. because of the fake email addresses) is enormous compared to normal traffic (like 10 times what we have in general).
I can confirm such behaviour, thus here it's not that heavy like the end of last year. Any catch-all is horrible in such cases.
In my opinion, this is tactically used to 'find' valid email addresses for later use. But no proof of that.
On Mon, 2006-11-27 at 18:45 +0100, Daniel Lorch wrote:
What's really funny is when you set the MX of the domain to 127.0.0.1, so the mails bounce back to the postmaster of the offending server(s).
Sure, you don't want to receive _any_ email? You will get rid of a lot of customers like that, Daniel.
You rather limit the connection per host simultanously and - if possible - add more mx servers. Graylisting possibly helps as well.
Cheerz - Dan
On Monday 27 November 2006 20:43, Daniel Kamm wrote:
Graylisting possibly helps as well.
Graylsiting screws up the system "E-Mail" and doesn't help if the other end is a regular mailserver (cracked useraccount...).
I think the only long-term reliable means to the solution of this problem remains the spameRassassin[tm] *rrrrrrrrr*. At least spamers should be enchained and be forced to eat up a printed copy of every single of their emails. Repeaters have their fontsize doubled.
Michi
PS: Why do we still have publicly-knwon spammers walking arround freely regardless to the fact that they render email for all of us unusable and cause such tremedous expenses? Our politicians rather implement another revision of the URG... yes that eases my life a lot. (Any irony found in this text may be kept by the reader.)
Yes, same here. We had to blacklist several domains to keep our inbound clean.
Matthias Hertzog _________________________________________
mhs @ internet AG Zürcherstrasse 204, CH - 9014 St. Gallen Phone +41 71 274 93 93, Fax +41 71 274 93 94 http://www.mhs.ch _________________________________________
----- Original Message ----- From: "Rene Luria" operator@infomaniak.ch To: swinog@swinog.ch; swinog-antispam@lists.swinog.ch Sent: Monday, November 27, 2006 5:58 PM Subject: [swinog] smtp attacks
Hi folks,
We are currently experiencing a heavy load on all our smtp inbound servers since saturday.
It is due to bounces coming from everywhere. Spamers using fake email addresses from domains for which we are the MX.
The amount of such emails (which we almost all reject, user unknown, etc.. because of the fake email addresses) is enormous compared to normal traffic (like 10 times what we have in general).
Do any of you experience the same problem ?
-- Rene Luria _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Uhm, my private detected spam count is still average: 150 spam/24h which means 87% of total mails received. Also nothing special here.
This is not spam. To unsubscribe to this mail please reply with the words "shut up" in the subject, directly to me :-)
Daniele
Matthias Hertzog wrote:
Yes, same here. We had to blacklist several domains to keep our inbound clean.
Matthias Hertzog _________________________________________
mhs @ internet AG Zürcherstrasse 204, CH - 9014 St. Gallen Phone +41 71 274 93 93, Fax +41 71 274 93 94 http://www.mhs.ch _________________________________________
----- Original Message ----- From: "Rene Luria" operator@infomaniak.ch To: swinog@swinog.ch; swinog-antispam@lists.swinog.ch Sent: Monday, November 27, 2006 5:58 PM Subject: [swinog] smtp attacks
Hi folks,
We are currently experiencing a heavy load on all our smtp inbound servers since saturday.
It is due to bounces coming from everywhere. Spamers using fake email addresses from domains for which we are the MX.
The amount of such emails (which we almost all reject, user unknown, etc.. because of the fake email addresses) is enormous compared to normal traffic (like 10 times what we have in general).
Do any of you experience the same problem ?
-- Rene Luria _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog