>>>>> "W" == W B Hacker <wbh@???> writes:
>> That 99.99% peak figure was reached here during a period of a few
>> hours during which we received more than _10 million_ connection
>> attempts caused by blowback of all forms, at a domain used only by
>> a handful of staff which normally gets a few thousand per day.
W> Am I misreading something, or did you just indicate that a
W> (hopefully rare!) defect in one of your *own* hosting servers
W> cause *your own* MX the grief?
Where on earth did you get that idea?
The scenario is this:
1) Some spammer (not anywhere near our network) sends out hundreds of
millions of spams using random forged addresses at our domain as the
envelope sender. These are all sent using the usual compromised
enduser hosts. (I've seen indications that some spammers do this
routinely, picking a different domain every week or so.)
2) These spams go to millions of mail servers around the world.
3) A large fraction of those servers then immediately try and
connect to _our_ MX in order to do one of three things:
a) send a bounce (everyone agrees this is bad)
b) send a challenge
c) do a sender verify callout
All of those things look the same to us. (HELO whatever; MAIL FROM:<>;
RCPT TO:<randomstuff@ourdomain>)
Result: we end up receiving 300+ SMTP connections per sec, from
millions of different IPs all of which are actually mailservers.
Blocking by IP is no help (something like 50% of the traffic last time
was from IPs that made only _one_ connection during the extent of the
attack). There is nothing else to block on since the connections are
not otherwise distinguishable from real traffic.
--
Andrew, Supernews
http://www.supernews.com
