Hi,
thx for your reply!
> > last weekend I experienced a DoS *cheer*. In fact this wasn't as
> > funny[...]
>
> I hate that, sucks doesn't it? On my main exim system (Dual Xeon
> 2.4's, 1 gig of ram ,etc etc) I can handle the 200K delivered
(+1million
> bonked but RBL/Syntax/etc) pretty well, but we do see DoS/DDos
attacks,
> and have had to tune exim to help it survive.
Seriously, yes. :)
> To fend them off, I've implemented the following:
> smtp_accept_max = 512
sounds good
> smtp_accept_max_per_host = 20
sounds good
> queue_only_load = 15
> smtp_load_reserve = 15
I will wait until I get some stuff of that host and try that with
caution.
> smtp_reserve_hosts = +relay_from_hosts
> deliver_queue_load_max = 10
>
> While it may not be optimal, it does the trick. With a smaller box
(and
> expected connection rate) you can, of course, set the accept_max and
> accept_max_per_host to lower #'s. With a per-host of 20, I still get
> several times a day when a specific host tries to connect more than 20
> times. When I check the logs it's usually sending spam or viruses.
>
> The reserve stuff is there so that if the box just gets too busy, it
4xx's
> outside SMTP but accepts email from my customers. This way my
customer
> support folks don't have to take "why isn't my outlook outbox
emptying"
> calls.
If they don't call for outlook, they call for something else...
I also changed rfc1413_query_timeout to 0s to disable this feature.
> I'm also fairly aggressive with reject HELOs with non domain literal
IPs,
> and my local hostname, which kills a lot of automated attacks.
That sounds interessting. Maybe I'll just mark those emails with SA and
get
make some stats, since I don't know yet how much "good" mails use
literal IPs with HELOs.
> I also check a text file for explictly denied hosts with a connect
ACL,
> and add/subtract from that file if a specific IP is hitting me too
hard.
I started blocking "strange" hosts (for example my special friend from
84.30.55.80/qe84.internetdsl.tpnet.pl *hrhrhr*)
> Also, not knocking on SA-Exim (I've never used it) but maybe exiscan
which
> connects to spamd directly might be more efficient than spawning spamc
> with every message?
Well forking spamc for a small time is ok IMHO. I use SA-exim, since it
provides me with several usefull features where exiscan-acls leaks and
exiscan only for malware and some other nice tweaks.
thx
-fe
>
> Like I said, I'm sure there are better ways to do it than I have,
since
> I'm still learning too, but I figure it might help to share.
>
> Thanks
> -Scott
>
> --
> Scott Call Router Geek, ATGi, home of $6.95 Prime Rib
> I make the world a better place, I boycott Wal-Mart
> VoIP incoming: +1 360-382-1814
