"James Riden" writes:
It's best to do SMTP rejects for unknown users; this will help cut the load on your servers if the forged From addresses don't exist at your domain. This is relatively straightforward for most MTAs - I believe postfix can do LDAP queries against AD, or can talk to a postgresql database. Since most of the forged addresses will be nonexistent, this should help quite a bit.
(Bonus - it will also stop you generating this kind of traffic for other sites in the future.)
My mail domain is relatively small - about 40 real users - but I still drop about 1500 mail connections a day for email sent to invalid users. About 200 of these were typically virus initiated (and therefore had attachments) and almost all the rest were spam. My MTA is Mailmarshal and it can easily be configured to do this. You can set up LDAP or Active Directory connectors to hook into your directory servers which makes managing the lookup lists simple. And before I hear cries of "argh, not mailmarshal again..." Its configured so that is does *not* send outbound notifications for viruses etc. -- Regan
Regan Murphy wrote:
servers which makes managing the lookup lists simple. And before I hear
cries of "argh, not mailmarshal again..." Its configured so that is does *not* send outbound notifications for viruses etc.
I prefer things like patching postfix to do AV scanning on-the-fly, rejecting virus mails at the end of the DATA command where virus or spam is found. Whilst it doesn't stop the resource drain, it does have the effect of notifying the sending MTA owner (when properly configured) that they have a virus sending issue, and it eliminates all possibility of your server generating backscatter. It also has the side effect of: In the unlikely event of a false positive the sender is notified of the rejection. ....and it's fully RFC compliant ;-) For those who think that is a serious potential for DoS - I can sustain (and have) 25 messages per second on my incoming MTA without breaking a sweat, complete with LDAP lookups on all the addresses to a "remote" directory server for both final destination and 'user exists'. (I'm sure a few of you know of my past history when it comes to getting DDoS'd ;-))... $dayjob is managing MTAs for a large edu.au (85k accounts) - we at peek don't have more than 25 connections incoming at anyone time - we average 4 messages per second over any 24 hour period. Regards, Mat (FYI my postfix servers are configured to reject connections at 40 concurrent incoming connections - for sanity.)
participants (2)
-
Matthew Sullivan -
Regan Murphy