Many thanks to everyone who got back to me on this topic. The way forward appears to be a two-pronged approach: Ensure that we refuse 'unknown_users' at our receiving MTA - probably best achieved via LDAP lookups. Implement SPF/SRS. With the benefit of hindsight I can thoroughly recommend performing the above *before* being hit:) Neither will be trivial for us to implement (other than exporting our own SPF TXT records IN DNS), and will require the installation of OpenLDAP (which will admitedly be useful for 101 other things) as well as upgrading all our MTAs. I @#$@#$S^@# hate spammers!! Bojan Zdrnja said:
-----Original Message----- From: Spencer Stapleton [mailto:sstapleton(a)compass.net.nz] Sent: Wednesday, 26 January 2005 6:18 p.m. To: nznog(a)list.waikato.ac.nz Subject: [nznog] backscatter attack
One of our user domains has just been heavily hit by *huge* quantities of Non-Delivery Receipts addressed to random_string(a)domain_name.
So, you were receiving NDNs targeted at random_string(a)domain, domain being the one you host? If that is the case, your server should just reject anything for non existant users. The problem with most setups today is that they just do a blind relay, which means you accept all those e-mails, then find out that the user doesn't exist and then you discard it (as it's a double bounce NDN). Usually this is solved by implementing virtual domains and/or relay access rules.
At it's peak we were seeing around 50,000 NDR's coming in per hr. The worst has passed
We had similar things at the UoA. After our system was re-architectured only directly targeted spam attack (with existing users) can affect it.
We only had a number of things at our disposal to do to limit the damage:
Stop generating any 'unknown user' NDR responses ourselves (ignoring RFC876).
Your server should reject it immediately (without accepting/queueing the e-mail). This means that the burden of NDN is on the remote server.
Split the affected domain away from the rest of our incoming mail stream and then to start removing obvious NDR's from the isolated queues. Remove more NDR's from the queue. <repeat last step again> <and again>...
Has anyone seen something similar? Did you manage to locate a better solution? I can't say I've enjoyed the last couple of days one bit!
Your solution is to implement virtual domains and reject e-mail immediately.
Cheers,
Bojan
-- Bojan Zdrnja, CISSP, RHCE Security Implementation Specialist Information Technology Systems and Services (ITSS) Ph 09 373-7599 x82035 The University of Auckland, New Zealand
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
-- Systems Engineer Compass Communications http://www.compass.net.nz