-----Original Message----- From: Simon Blake [mailto:simon(a)citylink.co.nz] Sent: Wednesday, 26 January 2005 10:10 p.m. To: Spencer Stapleton Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] backscatter attack
When we ran the domain on qmail, we just accepted all users(a)domain, and wrote the unknown users to /dev/null. This at least stopped the outbound ndr creation, and kept the outbound mail queue at a sensible level. I figured sending NDR's was just not a friendly thing to do, and so decided not to do so.
Yep - that was good for other people (very nice of you :), however, it was terribly expensive for your server. One of the worst cases I've seen is the default setup that distributions often use with Cyrus IMAP server. Usually, the MTA can't tell what are local users (because they are accounts under Cyrus) so it accepts absolutely everything, tries to deliver to Cyrus and then bounces it back.
I suspect that an SMTP reject is probably the only realistic balance between DOS'ing somebody else with NDR's, and not warning legit senders of their typos. I figure the dictionary attack the above config allows is probably the least of my problems, and could probably be mitigated with some kind of IDS.
As it was mentioned in another post, SPF with SRS is the real solution, however, the first step would be to configure servers properly so they don't generate NDNs which are not needed. Our servers reject ~200.000 e-mails daily just based on incorrect recipients. Cheers, Bojan -- Bojan Zdrnja, CISSP, RHCE Security Implementation Specialist Information Technology Systems and Services (ITSS) Ph 09 373-7599 x82035 The University of Auckland, New Zealand