Re: [exim] DOS attack. What to do?

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] DOS attack. What to do?
Eric Kuzniar wrote:

>>You are probably being hit from a zombie farm that uses *many* IP, but
>>relatively fewer forged hostnames and HELO. Sometimes a local BL is handy.
>>
>>Odds are these will be failing rNDS / forward/reverse lookup, forging HELO,
>>sending to recipients that do not exist, trying to pipeline when you do not
>>offer it, and other rude behaviour.
>>
>>
>
>
>     Another common scenario is that these are all bounces and/or 
> callouts as a result of his domains being joe jobbed.

>


Agree the possibility, but it is rarely seen here.

The zombie farms, OTOH, make several sweeps every day - most now nailed quite
early (and cheaply) in the smtp cycle.

Primary target is our oldest *.net domain, and a chunk of dictionery-attack
non-existent users with the NetSol-WHOIS published domain contact address
included makes up the pattern.

The .com, .net, or .org .tld's seem to be the primary targets in general, and
US intransigence aside, we are reluctant to register use any such for new work.

Our Swiss, Tongan, and Seychelles .tld's, by comparison, are targeted seldom or
not at all. I have to guess that a small population with a perceived
low-gullibility index covers the Swiss case, and even smaller populations as
well as close-mouthed WHOIS servers cover .to and .sc

Bill