Re: [OT] HELP!!! mail attack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2008-03-26 at 07:23 -0400, Rodolfo Alcazar Portillo wrote:
> Hello. Since monday, our mailserver (FC5), behind a firewall, is
> suffering a heavy DoS mail attack. We have a user account,
> amanda.davila@xxxxxxxxxxxx and it is receiving millions of emails from
> very different sites of the planet. Since now, my only action was
> deleting the account from /etc/password, and the traffic permits
> working. We suspect a virus attack...
> 
> What else can we do? We would appreciate any help with this issue. Here,
> a 20 seconds log by 07:15 GMT-4 (too early, many pcs off).
----
That account has likely been 'Joe Jobbed' and you are seeing the
backscatter. Google 'Joe Job' or find it on Wikipedia for an
explanation.

If you have a mail server, an account, and e-mails arriving, there's
little you can do in a specific sense but you have to evaluate your
overall mail scheme.

I will explain in a general way, how I set up my mail servers and
perhaps this may help.

I use postfix but the only difference I have found between postfix and
sendmail is that postfix is a little easier to setup/maintain.

My first 'defense' is greylisting, run as a policy in postfix.
Greylisting maintains a database (MySQL) primarily using a table of
'tuples' of sender, recipient, mailhost (smtp server trying to deliver
the mail). Greylisting sends a tempfail on the first attempt by sender,
to recipient from particular mail server. This eliminates much e-mail
sent by 'bot' systems that are just spraying e-mail around and are not
true SMTP servers and thus don't attempt 're-delivery'

My second defense is to use rbl's (abuseat / spamhaus / dsbl) to
otherwise block KNOWN blacklisted sources

My third defense is to require:
 - reverse DNS of sender
 - fqdn of sender
 - valid hostname
 - valid recipient

This all happens before I choose to accept mail.

Once I have accepted e-mail, it is shuffled to 'MailScanner' which is a
wrapper program that sends e-mail through clamav and then through
spamassassin, where it is cleaned and scored.

Finally, I have 'sieve' rules for all users which puts high spam score
e-mails into a users 'SPAMBOX' folder of which everything that is older
than 7 days is automatically cleaned out.

The notion of rejecting most e-mail before you ever accept it is really,
really important because it minimizes the very expensive computing costs
of inspection by clamav and spamassassin.

Craig

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux