Zenon Panoussis writes:
For weeks on end now I am being subjected to what I could call a reverse
spam DDoS attack for lack of better term. Some asshole is sending out
zillions of messages to non-existent users at legitimate domains, using
clearly non-existent sender addresses @myhosteddomain. It seems he is
specifically targetting backup MXs and spam filtering services because
the messages are first accepted for transport, then bounced. The bounces
create a storm of connections to my MX, which in turn causes courier
(0.55.1) to choke and stop receiving mail at all.
Some DNS or ident query is probably stalling, and it takes a while for the
DNS query to time out. It's not refusing to receive mail any more, it's just
taking a long time for various DNS queries to time out.
Begin by adding "-noidentlookup -nodnslookup" to TCPDOPTS in the esmtpd
config file. Then, publish an SPF record for your domain. Finally, invest
some time in meticulously compiling a list of most frequent backscatter
source IPs, and blacklisting them.
With a published SPF record, there is no valid excuse for backscatter, so I
feel one is perfectly justified in blacklisting all sources of backscatter
bounce bombs. After nearly a year, I have over two thousand individual IP
address blacklisted. Not surprisingly, backscatter sources also happen to be
brisk spam sources, as well.
11 messages in net.sourceforge.lists.courier-usersRe: [courier-users] Saturation DDoS
