On 26 September 2007, RW <[EMAIL PROTECTED]> wrote:
> On Tue, 25 Sep 2007 14:14:46 +0300, Liviu Daia wrote:
>
> >On 25 September 2007, RW <[EMAIL PROTECTED]> wrote:
> >[...]
> >> My defence was to write a couple of scripts. One parsed the output
> >> of spamdb looking for GREY with sender <> and then tested the
> >> intended recipient against the postfix valid mailbox database.
> >[...]
> >
> > With Postfix you can use anvil(8) to control concurrency.
> >
>
> Yep, you could. BUT
> 1- why let it get to postfix? This is crap that spamd can deal with,
> with a bit of scripting help for extra functionality.
>
> 2- What concurrency?
> We had a mailstorm of backscatter from hundreds of IPs each trying to
> send one or two messages. We had over a thousand IPs marked TRAPPED in
> spamdb at one time.
What I've been seeing here the last few weeks is somewhat
different: robots trying to determine how many connections I'll accept
concurrently. Left alone they can get to 100+ connection attempts per
second from the same IP, they go on until I'm running out of resources
and start delaying the accept(2). When that happens, only one or two
of these connections are subsequently used to try to send the crap, the
rest are closed immediately. Limiting concurrency at SMTP level seems
to actually reduce the number of bots that try that (presumably the
information that my site is way too uninteresting is propagated across
the bot net).
This has nothing to do with backscatter, but FWIW, backscatter alone
has never been a real problem with Postfix until recently. Resource
exhaustion because of insane concurrency as I described can be, and
anvil(8) is a first attempt to a solution (it's not THE solution because
it also hurts legitimate sites like Yahoo).
> Postfix would just be rejecting them and filling its logs.
Oh come on, these days you're probably rejecting > 95% of messages
anyway. :)
> As far as I'm concerned filling the logs of mailservers that are
> backscatter generators is A Good Thing �.
Unfortunately the people in charge with these servers either don't
have a clue, or don't care.
Regards,
Liviu Daia
--
Dr. Liviu Daia http://www.imar.ro/~daia
