On Wed, Jan 26, 2005 at 06:18:09PM +1300, Spencer Stapleton said:
Stop generating any 'unknown user' NDR responses ourselves (ignoring RFC876).
Since 6am this morning, for a domain nearby, we've seen: 1613 received 1077 delivered 8 forwarded 1 deferred (1 deferrals) 2 bounced 25611 rejected (95%) 0 reject warnings 0 held 0 discarded (0%)
Has anyone seen something similar? Did you manage to locate a better solution? I can't say I've enjoyed the last couple of days one bit!
When we ran the domain on qmail, we just accepted all users(a)domain, and wrote the unknown users to /dev/null. This at least stopped the outbound ndr creation, and kept the outbound mail queue at a sensible level. I figured sending NDR's was just not a friendly thing to do, and so decided not to do so. We were still receiving something like 15GB of mail/month to unknown users, which sucked, so we moved from qmail to postfix a few weeks ago, and setup postfix to reject unknownusers(a)domain, and to run amavisd/clamav, both at SMTP receive time. Of those rejections above, about 500 are virii, and the majority of the rest (25000 messages) seem to be incoming NDR's. (qmail defenders, yes, I know you can configure qmail to do all the above, but it involved patches and recompilation from scratch, and, well, I just couldn't be arsed). I suspect that an SMTP reject is probably the only realistic balance between DOS'ing somebody else with NDR's, and not warning legit senders of their typos. I figure the dictionary attack the above config allows is probably the least of my problems, and could probably be mitigated with some kind of IDS. Cheers Si