[UFO Chicago] Spam DOS -- ideas?

David W. Harks dave at psys.org
Wed Sep 17 08:22:16 CDT 2003


Greetings, UFOers,

I'm faced with a problem:

One of the domains I host is getting flooded with spam. Literally thousands of 
simultaneous connections from thousands of servers worldwide are beating on 
my exim system.

To temporarily solve this, I've modified my MX to point to a server that can 
be dedicated to the purpose of handling this flood. Also, I've configured 
exim with jealous connection limits and to use SMTP VRFY, along with several 
DNSBL's.

But this isn't stopping the thousands of connections which end up acting as an 
effective email DOS. The servers sending the mail are actually (mostly) 
legitimate, and when checked via ORDB and SpamCop, come back clean, but 
they're attempting to send to thousands of nonexistent addresses @mydomain.  
Of course, VRFY doesn't allow this, but the flood continues.

Any thoughts on how to fight back against this sort of thing? Would it be 
better to NOT use VRFY, and just let thousands of bounces go out? I'm pretty 
sure the senders are spoofing their addresses, so I think that would get lots 
of bounces to the wrong folks. (although, perhaps THOSE folks might have 
better luck contacting their various ISPs...) Firewalling off the addresses 
isn't practical, since these are generally 'legitimate' servers (and, the 
list of rules gets long -- over 11,000 unique addresses so far).

Any suggestions, experience, or ideas are welcome.

Thanks!

dave

-- 
David W. Harks <dave at psys.org>  http://dwblog.psys.org



More information about the ufo mailing list