[Mimedefang] Dealing with massive spam burst
Kevin A. McGrail
kmcgrail at pccc.com
Wed Sep 8 13:47:05 EDT 2004
John,
The system to tie LDAP to your Sendmail is not as hard as you think. See
http://www.peregrinehw.com/downloads/ldap/. It's elegant and ties into
sendmail prior to MD getting involved. I think everyone here will agree that
blocking bad users at the gateway has HUGE advantages.
Also, have you tried just a define(`confCONNECTION_RATE_THROTTLE',`1')dnl to
throttle connections to one per second?
Finally, if you use define(`confBAD_RCPT_THROTTLE',`2')dnl that will help
identify sites that are harvesting, performing dictionary attacks, etc. We
also use it to tie into a system that monitors the logs for sites doing this
and blocks them with iptables:
http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/untarred/contrib/poprelay-RCPT_Throttle/
I *highly* recommend this system and have taken steps in the program as you
will see to begin centralizing the gathering of IP addresses involved in
these type of issues.
Regards,
KAM
> I've had mimedefang+clamav+spamassassin running quite happily here for
> about 18 months or so now, but over the last couple of days have run into
a
> problem. One of our customers has been very severely joe-jobbed, and the
mass
> of NDR's coming back to them is making their primary MTA/mimedefang box
> crumble under the load (which can peak at a few hundred messages a minute
> when the spammers kick off).
> On the grounds that upgrading the hardware isn't something that can be
done
> quickly or easily, can anyone suggest any techniques for reducing the load
at
> such times? I've thought of configuring spamassassin to whitelist emails
> coming from <> - but that only takes out a certain portion of the problem,
> and the load from running clamd across each incoming mail is still there.
The
> only other thing I can think of is rejecting email to non-existant users
> before defang does most of it's tests, but that would involve rigging up a
> system to verify each user against the Exchange system that the mail
routes
> through to.
> Any suggestions/clues to what I'm missing very welcome.
>
> cheers
> john
More information about the MIMEDefang
mailing list