0

few days ago some kind of botnet attack started on my mail server which tries to send a lot of spam emails to certain domains on my mail server. Biggest issue here is that almost every attacker IP address is different. I've checked log from one day and it contains about 73000 different IP addresses. I've disabled catch-all accounts but it has not helped. Any ideas?

Thanks in advance

GrZeCh
  • 605
  • 4
  • 12
  • 28

2 Answers2

1

You need to have an RBL list checking on your firewall or get your ISP involved. You can't stop a DDOS attack at the server. Most firewalls can check an incoming smtp connection against one or more RBLs. At least then, the connection is dropped immediately and no more resources are wasted. Your ISP might be able to help here also. Our Sonicwall firewalls have this capability, and we have noticed a large decrease in load on our mailserver because of it.

Scott Lundberg
  • 2,364
  • 2
  • 14
  • 22
  • I was wondering. Do you think I could defend myself against this attack using DNS server with blacklist plugin? – GrZeCh Sep 05 '09 at 20:03
  • What blacklist plugin would you use? I suppose if it responded to blacklisted IPs with a bogus MX response, that would take the load off of your mail server... Never used one though. We prefer to stop all SMTP traffic at the firewall if the IP is listed in an RBL. – Scott Lundberg Sep 06 '09 at 01:25
  • I'm using Simple DNS server which with 5.2 version has this plugin: Ignore DNS Request Plug-In - http://www.simpledns.com/kb.aspx?kbid=1280 and allows to block MX IP resolving if requesting IP is in RBL list. Right now I'm using 5.1 version and I'm considering upgrading to 5.2 – GrZeCh Sep 07 '09 at 17:24
0

add the following capabilities to your mailserver

  • greylisting
  • sender policy framework - www.openspf.org
  • rbls - at least spamhaus

further more, there are fine tune settings which can be made @ MTA level (header/body checks, etc)

quaie
  • 1,122
  • 6
  • 14
  • My problem is actually not SPAM itself but a lot of connections from different IP addresses to SMTP server where error is "No such user here". Greylisting enabled, SPF and rbls too. But they are basically spam filtering methods. – GrZeCh Sep 05 '09 at 10:38