Autor: W B Hacker Data: Dla: exim users Temat: Re: [exim] UCEPROTECT Blacklists and why callouts are abusive
Andrew - Supernews wrote:
>>>>>>"W" == W B Hacker <wbh@???> writes:
>
>
> >> That 99.99% peak figure was reached here during a period of a few
> >> hours during which we received more than _10 million_ connection
> >> attempts caused by blowback of all forms, at a domain used only by
> >> a handful of staff which normally gets a few thousand per day.
>
> W> Am I misreading something, or did you just indicate that a
> W> (hopefully rare!) defect in one of your *own* hosting servers
> W> cause *your own* MX the grief?
>
> Where on earth did you get that idea?
From the paragraph above - w/r 'broken forms...' et al.
>
> The scenario is this:
>
> 1) Some spammer (not anywhere near our network) sends out hundreds of
> millions of spams using random forged addresses at our domain as the
> envelope sender.
OK. Story changes (again?)
C'mon! I may have been born at *night*, but it wasn't *last* night.
*snip*
> Result: we end up receiving 300+ SMTP connections per sec, from
> millions of different IPs all of which are actually mailservers.
> Blocking by IP is no help (something like 50% of the traffic last time
> was from IPs that made only _one_ connection during the extent of the
> attack). There is nothing else to block on since the connections are
> not otherwise distinguishable from real traffic.
>
300+ /sec, yet 50% of the traffic was on ONE connection?
Dunno if it is your arithmetic, veracity, or understanding of how to configure
an MTA that is lacking - perhaps all of the above.