On Fri, Oct 26, 2012 at 10:46:40PM -0500, Stan Hoeppner wrote: > On 10/26/2012 6:16 PM, John Baker wrote: > > I just wondered if anyone can give me any suggestions on how to > > improve this situation. I have been getting slammed by a bot net > > mostly for accounts that don't actually exist since late morning. > > Almost all the messages are being rejected by postfix or > > greylisting but at the same time it's resulted in hundreds of > > Temporary lookup failures. I use ldap lookups in in > > virtual_alias_maps to do some mail routing. As best I can tell my > > ldap servers can't move fast enough for the volume so I end up > > with a bunch of error messages like this coming to postmaster: > > > > Out: 250 2.1.0 Ok > > In: RCPT TO:<+._-gmatto...@marlboro.edu> > > Out: 451 4.3.0 <+._-gmatto...@marlboro.edu>: Temporary lookup failure > > In: RSET > > Out: 250 2.0.0 Ok > > In: MAIL FROM:<> SIZE=7377
Hmmm. Looks like backscatter. > > Out: 250 2.1.0 Ok > > In: RCPT TO:<+._-gmatto...@marlboro.edu> > > Out: 450 4.7.1 <+._-gmatto...@marlboro.edu>: Recipient address rejected: > > Policy Rejection- Abuse. Go away. > > In: RSET > > Out: 250 2.0.0 Ok > > In: MAIL FROM:<> SIZE=7380 > > Out: 250 2.1.0 Ok > > In: RCPT TO:<+._-gmatto...@marlboro.edu> > > Out: 450 4.7.1 <+._-gmatto...@marlboro.edu>: Recipient address rejected: > > Policy Rejection- Abuse. Go away. > > In: QUIT > > Out: 221 2.0.0 Bye > > > > I'm also getting a bunch that just time out and have to resend. > > > > Is there anything I can do to alleviate the load on my ldap > > server? It's coming from so many IP's it's not going to do any > > good to just start firewalling. > > Configure Postscreen > http://www.postfix.org/postscreen.8.html > > It drops bots before user lookup. Very effective. Requires > Postfix 2.8 or later. Yes, *if* these really are bots. I bet they're not. It looks like a backscatter / sender verification attack, as if these addresses were used as sender addresses in a spam run. I would recommend that John consider a check_sender_access lookup of the null sender, and therein apply ips.backscatterers.org or other backscatter DNSBL[s], but that entails a slight risk of loss of real mail (sometimes a backscatter source might have a real bounce to deliver), and it won't help with the load on the LDAP server. If all the rejected recipient addresses follow some kind of pattern, maybe a PCRE lookup can help. We don't know enough about it to suggest anything more. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
