Am Dienstag, 23. Oktober 2007 00:36:52 schrieb Sam Varshavchik:
Zenon Panoussis writes:
For weeks on end now I am being subjected to what I could call a reverse
spam DDoS attack for lack of better term. Some asshole is sending out
zillions of messages to non-existent users at legitimate domains, using
clearly non-existent sender addresses @myhosteddomain. It seems he is
specifically targetting backup MXs and spam filtering services because
the messages are first accepted for transport, then bounced. The bounces
create a storm of connections to my MX, which in turn causes courier
(0.55.1) to choke and stop receiving mail at all.
Some DNS or ident query is probably stalling, and it takes a while for the
DNS query to time out. It's not refusing to receive mail any more, it's
just taking a long time for various DNS queries to time out.
Begin by adding "-noidentlookup -nodnslookup" to TCPDOPTS in the esmtpd
config file. Then, publish an SPF record for your domain. Finally, invest
some time in meticulously compiling a list of most frequent backscatter
source IPs, and blacklisting them.
I had the problem described by Sam. Just run telnet on your smtp port and
look how long it takes until a connection cames up.
BTW: better courier stops receiving mail at all then courier stops your server
at all ;-) And I think you won't loose any mail. The MTAs which wanted to
send you some data will come back.
11 messages in net.sourceforge.lists.courier-usersRe: [courier-users] Saturation DDoS
