cut off by spamhaus free use?

UxBoD uxbod at splatnix.net
Mon Dec 3 05:36:36 GMT 2007 

Hi Jim,

care to share what OSS tools you are using ?

Regards,

--[ UxBoD ]--
// PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: C759 8F52 1D17 B3C5 5854  36BD 1FB1 B02F 5DB5 687B
// Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
// Phone: +44 845 869 2749 SIP Phone: uxbod at sip.splatnix.net

----- Original Message -----
From: "Jim Flowers" <jflowers at ezo.net>
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Sent: Monday, December 3, 2007 8:54:58 AM (GMT) Europe/London
Subject: Re: cut off by spamhaus free use?

FWIW, I have used spamhaus for quite some time now.  One of my systems tops
out at about 50,000 messages per day.  So far they haven't given me any grief
although they are the primary front-end dnsbl.

Here's some grist for the mill:

I am testing a sendmail front end configured with all of the spam/reject
capabilities (including the zen.spamhaus dnsbl), however, it follows several
milters (one of which uses the cbl.abuseat.net dnsbl).  The load on
zen.spamhaus is reduced considerably and the setup produces almost no false
positives.

Because this multi-domain server includes a particular domain that is the
target of a distributed zombie PC spam/ddos attack, I have added some extra
features to deal with the problem.  The spammer is able to launch several
hundreds of PCs at a time, throwing connections at this server at the rate of
hundreds per second.

The server logs are monitored by an IDS that tracks the frequency of blocking
events.  When a sendmail reject occurs or MailScanner determines that a
message from a particular relay is high scoring spam they are counted and when
a threshold is exceeded a firewall rule is added to either tarpit the relay or
block it outright for a period of from one hour to 5 days.  The IDS also
monitors the tarpit server and if the attacker isn't stuck in the mod for at
least a minute for each connection then it's converted into an outright block.
 The amount of time from the start of an attack to full blocking varies but is
on the order of 11 to 40 seconds.

Sounds complicated but not so difficult to achieve as it sounds.  There are
really great open-source tools around.  And this domain has been a thorn in my
side for a long time.  Time will tell.  For the moment, I'm happy that the
messages handled by the processes running on this server have gone down from
about 46,000/day to less than 6,000/day (40,000 die at the firewall or get
discouraged and go away) and the server is loafing along with an average load
of 0.15 (2 GHz AND/FreeBSD6.3)

Certainly not for everybody but if you have large volume servers there may be
some ideas here that you can use.  Unfortunately, these attacks are increasing
at an alarming rate.

--
Jim Flowers <jflowers at ezo.net>
Internet/USA, LLC MXGuardian


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list