On Sat, Oct 27, 2012 at 12:17:43AM -0500, I wrote: > On Fri, Oct 26, 2012 at 10:46:40PM -0500, Stan Hoeppner wrote: > > On 10/26/2012 6:16 PM, John Baker wrote: > > > Is there anything I can do to alleviate the load on my ldap > > > server? It's coming from so many IP's it's not going to do > > > any good to just start firewalling. > > > > Configure Postscreen > > http://www.postfix.org/postscreen.8.html > > > > It drops bots before user lookup. Very effective. Requires > > Postfix 2.8 or later. > > Yes, *if* these really are bots. I bet they're not. It looks like > a backscatter / sender verification attack, as if these addresses > were used as sender addresses in a spam run.
Most backscatter sources are "legitimate" MTAs. Many have FCrDNS. They'll pass any postscreening and get to smtpd soon enough. Even so, postscreen would lessen the pressure of actual bots on the server, so it would indeed help somewhat. > I would recommend that John consider a check_sender_access lookup > of the null sender, and therein apply ips.backscatterers.org or > other backscatter DNSBL[s], but that entails a slight risk of loss > of real mail (sometimes a backscatter source might have a real > bounce to deliver), and it won't help with the load on the LDAP > server. > > If all the rejected recipient addresses follow some kind of > pattern, maybe a PCRE lookup can help. We don't know enough about > it to suggest anything more. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
