Thanks again to all who respond to my questions.
I am still seeing a high number of continuous
connections of RCPT TO emails. I'm assuming that its
our wonderful bots out there having as much fun as
then can cause.
My question is this;
Tarpitting is removed from the latest invocation of
the toaster (I assume) in lieu of greylisting. But
I've seen information that says that if there is a
slight 1 second or 2 second delay on the SMTP
connection that a BOT might label you as too slow for
them and move on.
To be honest, with the latest version of toaster, when
you connect to port 25 its immediate. WAY to fast if
you ask me.
Is there a way to slow this down to thwart some of the
bot connections?
I am also assuming the following is what happens when
a connection is made: (roughly that is)
1) sockets open via qmail-smtpd
2) chkuser validates user, if no user, dropped or
bounced (I prefer bounced)at MTA level.
3) if accepted, greylisting then spam checking
4) delivery of message.
on step 2, with CHKUSER working perfectly, I've
noticed that many of the connections are almost
dictionary attacks.
Example: [EMAIL PROTECTED]
[EMAIL PROTECTED]
etc.
CHKUSER IS bouncing them and qmail-spamt is creating a
directory for the IP address. (taken fromt he default
information in documentation (someplace)
SPAMT configuration file:
::1501:120000::1000::::
.
But sometimes the connections keep flying in.
Again, I've read from research done, that the BOTS
**ARE** looking for fast SMTP connections.
Doesn't this quick connection authentication and
dropping actually cause more dammage than good?
Maybe I'm missing something and will gladly post
configuration files as requested.
ONE last thing,
I knoe its a pain but with a DNS caching server on
each external machine (in a cluster) that is an MX for
a domain, DNS lookups are rather quick.
Isnt't here a way to ONLY accept email/connections
from VALID DNS lookups?
Case in point:
I am seeing a LOT of .local domain names that are
just NOT valid domain names. In many cases its the
name given from a box that is infected. I am assuming
this because many of the .local names are machine
names and/or user names.
Example:
from <::> remote <rme-srv-10.RME.local:unknown:[IP
REMOVED TO PROTECT INNOCENT]> rcpt <>
When you do a lookup on the IP address the names do
NOT match. Why can't we bounce or drop these
connections that are NOT matching ?
Yeah I know, many DNS managers do not keep up with the
reverse names, etc etc etc. So what? I think I'd
rather ONLY get emails from VALID forward and backward
lookup machines and MX servers than bogus ones.
Thanks for any information and help.
Nitch.
____________________________________________________________________________________
Finding fabulous fares is fun.
Let Yahoo! FareChase search your favorite travel sites to find flight and hotel
bargains.
http://farechase.yahoo.com/promo-generic-14795097
