This issue happened with us. Your ONLY solution is to try and co-locate a server upstream from your site, run a NIX based server (I am a windows guy, Im not evangelising, its just Windows apps are (mostly??) all based on the IIS SMTP mail sink, and have to accept the ENTIRE message before being able to filter its content.. Useless..)
You want to attempt to identify the spam by its content as early in the transfer as possible. For us, we did it by creating a list of valid email addresses, and rejecting EVERYTHING else. We also tried, but weren't overly successful with basic content filtering using Sendmail. The result, instead of receiving a 7kb spam undeliverable, we received a few hundred bytes of the header data until we got the MAIL TO:[EMAIL PROTECTED] detected it as an invalid incoming message and dropped it immediately. This way, we limited the exposure, we stopped the cost from bearing on us, we also stopped the link saturation. We also tried Snort with on-the-fly PIX rules, but this is unworkable as the number of hosts cause the PIX to take longer to apply the ACL's that is workable. The theory was great, mind you. Pity SMTP is designed to try and get around an uncontactable mail server and just passed the message to our backup MX (hosted offsite for redundancy) Do NOT accept that it will go away in a few days. Our issue lasted over 2 months. Solid. (We logged 2Gb of data in the first few hours of the problem occurring. Filled the disks on our Exchange mail server after another few hours, despite the Network Associates Webshield system being able to handle the deluge, exchange just didn't cope! I still have a screenshot of the number of messages we received during the most busy hour. Which was well over the tens of thousands... (at 7k per message average) Our logfiles had to be cleaned almost daily to reduce the amount of disk space consumed by logs alone. This is one of the most unbelievably effective DOS attacks, because most all SMTP servers are already willing 'zombies' waiting to attack a host, and the SMTP protocol was designed to not give up easily. So, a single message can rety a number of times, multipled by the number of hosts trying to send email and its pretty obvious how damaging this can be.. I truly feel for your situation. Regards, Greg -----Original Message----- From: Peter Billson [mailto:[EMAIL PROTECTED]] Sent: Friday, 31 January 2003 5:33 AM To: Pulu 'Anau Cc: [EMAIL PROTECTED] Subject: Re: Denial of Service via UCE Pulu, You may want to ask someone with a fatter pipe to act as your MX where they can bit-bucket the UCE then forward on the good stuff to you. Pete -- http://www.elbnet.com ELB Internet Service, Inc. Web Design, Computer Consulting, Internet Hosting Pulu 'Anau wrote: > > Hi, this is not particularly a debian related question but this is the > most knowledgable list that I track, and I hope someone here might have a > "miracle answer" that we can't think of. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
