Tenon Intersystems Please see text links at bottom of page for navigation
Please see text links at bottom of page for navigation

Search tenon.com

Thanks to:

Post.Office
[Top] [All Lists]
<prev [Date] next> <prev [Thread] next>

Re: How To deal with DDOS spam bounce attack

To: post_office@xxxxxxxxxxxxxxx
Subject: Re: How To deal with DDOS spam bounce attack
From: Elton <ehd@xxxxxxxxxxx>
Date: Tue, 27 Jan 2004 10:24:10 -0600
I am concerned that my original filter was part of the problem we saw this weekend with PO slowing the machine to a crawl and SMTP-Accepts stacking.

I'm not sure about DDOS attacks but I run only (3) rbl's and Spam_Assassin filter; filtering is very good (about 4300/day), false positives are non-existent -- overhead is "nil" with several other processes (PO, Apache, OpenBase, MySQL, Qilan) running. The CPU averages 98-99% idle.

Note: On my PO box the IMAP-server will use more resources than SMTP-accept. There is an issue where the IMAP-server will suck-up 300-400mb of real RAM when accessed by only one IMAP client -- it will hold that RAM until the client quits. I have reported this to Tenon.


Elton

On Jan 27, 2004, at 9:47 AM, DC wrote:

Hi All,

We are experiencing a distributed denial of service (DDOS) attack
implemented via bounce messages. Some odious, greasy, hades-bound,
bottom-feeding outcast has decided to use one of our domain names as the
spoof source for the From: field of their spam messages. The scoundrel
generates thousands of messages, and those which don't make it to their
intended victim (for whatever reason) are bounced to our machine.

I had to disable all the filters this weekend so that PO could keep up with
the volume of bounces that are being sent to our machine. (G4, 450MHz, 512,
10.2.8)

The attack really amped-up this Friday from about 60/day to about 4000/day.
I had a filter that Discarded all messages sent to that domain except for
the two valid users. I can't use PO's built-in "only accept mail for valid
users" because it is global across all domains and we need wildcard
functionality on the other domains.

My questions are:

What is the most efficient way to deal with the bounce messages? I am
concerned that my original filter was part of the problem we saw this
weekend with PO slowing the machine to a crawl and SMTP-Accepts stacking.

As I understand it, a filter with a Discard checkbox (like the one I had)
tells the SMTP machine sending the filtered message: "Transactions
prohibited between these computers". Now, is that SMTP transaction more
efficient or less efficient than simply accepting this torrent of bounces
and dealing with them with a filter that shunts them to an auto-delete
account?


Thanks for any insight or pity!
dan

---------
Tenon Intersystems' Post.Office Mailing List
To unsubscribe: send mailto:post_office-request@xxxxxxxxxxxxxxx
with the body only containing:
unsubscribe
Find the searchable mailing list archives at:
http://postoffice.computeroil.com/


---------
Tenon Intersystems' Post.Office Mailing List
To unsubscribe: send mailto:post_office-request@xxxxxxxxxxxxxxx
with the body only containing: unsubscribe
Find the searchable mailing list archives at:
http://postoffice.computeroil.com/

<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  How To deal with DDOS spam bounce attack, DC
Next by Date:  PO newbie, postoffice@xxxxxxxxxxxx
Previous by Thread:  How To deal with DDOS spam bounce attack, DC
Next by Thread:  archiving sent e-mail (corporate environment), Andy Huang
Indexes:  [Date] [Thread] [Top] [All Lists]
| Tenon Home | Products | Order | Contact Us | About Tenon | Register | Tech Support | Resources | Press Room | Mailing Lists |

Powered By iTools

Copyright©2003 Tenon Intersystems, 232 Anacapa Street, Suite 2A, Santa Barbara, CA 93101. All rights reserved.
Questions about our website - Contact: webmaster@tenon.com.

Tenon Home Tenon Home Tenon Home Tenon Home Product Info Tenon Ordering Contact About Register Support Resources Press Mailing Lists