 | Start a set with this search |
 | Include this search in one of my sets |
 | Exclude this search from one of my sets |
 | Permalink to these results Paste this link in email or IM: |
 | Atom feed for tracking future search results Paste this URL into your reader: |
12 messages in net.sourceforge.lists.courier-usersRe: [courier-users] SPAMmers using mu...| From | Sent On | Attachments |
|---|---|---|
| Steve Jacobson | Aug 26, 2005 10:51 pm | |
| Gordon Messmer | Aug 26, 2005 11:50 pm | |
| Sander Holthaus - Orange XL | Aug 27, 2005 3:03 am | |
| Sam Varshavchik | Aug 27, 2005 4:21 am | |
| Robert Penz | Aug 27, 2005 4:27 am | |
| Michelle Konzack | Aug 27, 2005 4:46 am | |
| Sander Holthaus - Orange XL | Aug 27, 2005 4:56 am | |
| Sander Holthaus - Orange XL | Aug 27, 2005 5:01 am | |
| Robert Penz | Aug 27, 2005 5:42 am | |
| Jay Lee | Aug 27, 2005 7:57 pm | |
| Scott | Sep 1, 2005 1:30 pm | |
| Sam Varshavchik | Sep 1, 2005 3:58 pm |
| Permalink for this message Paste this link in email or IM: |
| Permalink for this thread Paste this link in email or IM: |
| Atom feed for this thread Paste this URL into your reader: |
| Subject: | Re: [courier-users] SPAMmers using multiple IPs | Actions... |
|---|---|---|
| From: | Gordon Messmer (yiny...@eburg.com) | |
| Date: | Aug 26, 2005 11:50:10 pm | |
| List: | net.sourceforge.lists.courier-users | |
Steve Jacobson wrote:
Well, I finally figured out why tarpitting isn't deterring the SPAMmers hitting my server. Every request appears to come from a different IP. Over 3000 just today. This is why we need Greylisting in courier.
Why would greylisting work? All it's going to do is defer messages if the ip/sender/recipient triplet is new, and (IIRC) invoke tarpitting.
Let me ask you this.... Are you using any RBLs? I find that "relays.ordb.org" is highly effective in dropping traffic from infected windows hosts.
I use the following RBLs with only a few (single digit) whitelist requests in the last /year/.
BLACKLISTS="-block=relays.ordb.org,BLOCK,'Message rejected - see
http://www.ordb.org/faq/' \
-block=list.dsbl.org,BLOCK,'Message rejected - see
http://www.dsbl.org/faq' \
-block=dnsbl.njabl.org,BLOCK,'Message rejected - see
http://www.njabl.org/faq.html' \
-block=dnsbl.sorbs.net,BLOCK,'Message rejected - see
http://www.dnsbl.us.sorbs.net/FAQ.html'"
This has gotten bad to the point of making courier unusable - the spammers are hitting up to the MAX connections, and no courier feature slows them down. My users can't send mail, because any new threads I make available are taken up by the spammers.
Any thoughts?
You can suggest that your users configure their mail clients to use port 587 instead of 25.
If you're using Linux, you can also rate limit incoming connections on port 25. I use these rules to always accept connections from private networks, but limit connections from the public internet to 10/second. You can decide on a rate that you think is acceptable. If you use the rule that's commented out, you'll get a message in your system logs whenever a connection is dropped.
iptables -A INPUT -p tcp --destination-port 25 --syn -i eth0 -s 192.168.0.0/16
-j ACCEPT
iptables -A INPUT -p tcp --destination-port 25 --syn -i eth0 -s 172.16.0.0/12 -j
ACCEPT
iptables -A INPUT -p tcp --destination-port 25 --syn -i eth0 -m limit --limit
10/second --limit-burst 10 -j ACCEPT
# iptables -A INPUT -p tcp --destination-port 25 --syn -i eth0 -j LOG
--log-level info --log-prefix "SMTP SYN THROTTLE "
iptables -A INPUT -p tcp --destination-port 25 --syn -i eth0 -j DROP