Pablo Alsina wrote:
Hi We have been having some problems lately with our installation. We are using Sendmail+clamav-milter+clamd as our antivirus solution, over an RedHat Linux with a 2.4.21 kernel (RH9).
This is somewhat outdated. Might I recommend you use the newer Fedora Core's or switch to a always-current distribution such as Debian Testing?
We added a sort of tarpitting solution to our sendmail in order to stop people from scanning our userbase. What this means is that responses to SMTP "rcpt to" gets delayed when the envelope user is unknown. The more you miss, the more you get delayed (its exponential). So what happens is that some SMTP clients may have to wait up to 15 minutes for a response from Sendmail if the miss to many recipents.
<snip> I cant help thinking that this is a bad idea as the cost you pay in overhead is far greater than the cost to the attacker. You have all these sendmail proccesses hanging around and all those milter threads. To DOS your box, all I have to do is open a few hundred connections to it and try to send email to a few dozen fake users. If that does not do it, I can simply open a few hundred more. Cheap for me, expensive for you. I would recommend a different approach, using this patch http://www.jmaimon.com/sendmail/patches/badrcpt_shutdown.v1.81301.patch http://www.jmaimon.com/sendmail/#badrcptshutdown This patch terminates connections that have a (configurable) high ratio of bad user attempts. This feature is compatible with sendmails delaying feature, so you can delay the connection for the first X bad users and shutdown the connection after Y bad users. Use that with sendmail rate-limiting. In this day and age all MTA's need to implement some kind of rate-limiting, otherwise all it takes is a few aggressive mta's out there and a joe job to put you out of business. I have been using this setup for quite some time. Works fine and dandy. _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
