Hi
does this mean I am not welcome any more?
no problem
you can remove my address
Hill
----- Original Message -----
From: "Martin Sellner" <rwsellner@???>
To: "Hill Ruyter" <hill@???>
Sent: Friday, October 20, 2006 9:52 PM
Subject: remove my address
>
>
> --- Hill Ruyter <hill@???> wrote:
>
>> Hi
>>
>> I will just throw in a non-SMTP solution here
>>
>> If you treat this sudden peak in traffic hitting
>> your servers as a DDOS to
>> your infrastructure then the best place to stop it
>> is at the ingress to your
>> network. So you have the firewall do one or more of
>> a number of things
>>
>> Limit the number of concurrent SMTP sessions fro
>> anywhere to your mail
>> servers
>> Limit the number of new SMTP sessions per second
>> Limit the number of SMTP sessions from a single IP
>> Limit the amount of bandwidth SMTP can consume on
>> the network
>>
>> Yes I know that this will be indiscriminate. It will
>> drop a large proportion
>> of legitimate mail
>> However as you said many of the spam servers only
>> make a single connection
>> then go away and you can rest assured that if some
>> legitimate mail was
>> blocked by the firewall it will be re-sent and
>> arrive in due course if not
>> immediately upon initial transmission
>>
>> It seems to me that the problem you described is not
>> about resources used by
>> the particular purpose of the connection made to
>> your servers but rather
>> the sheer volume of connections so in fact the
>> reason for your servers
>> failing was not as much the processing overhead in
>> dealing with the messages
>> but rather the swamped I/O of the servers/OS
>>
>>
>> What I suggest from a purely agnostic point of view
>> having read the
>> arguments is that you guys get together and do a
>> little test
>> One guy sets up a server and all the others first
>> hit it with bounces and
>> then hit it with callouts and the results of the
>> resource statistics are
>> published for comment. Otherwise I see this argument
>> going round in circles
>> until we all figure out that so much time has passed
>> something not yet
>> thought of has completely replaced SMTP
>>
>> Yours
>> Hill Ruyter
>>
>> ----- Original Message -----
>> From: "Andrew - Supernews" <andrew@???>
>> To: "exim users" <exim-users@???>
>> Sent: Wednesday, October 18, 2006 3:14 PM
>> Subject: Re: [exim] UCEPROTECT Blacklists and why
>> callouts are abusive
>>
>>
>> >>>>>> "W" == W B Hacker <wbh@???> writes:
>> >
>> > >> That 99.99% peak figure was reached here during
>> a period of a few
>> > >> hours during which we received more than _10
>> million_ connection
>> > >> attempts caused by blowback of all forms, at a
>> domain used only by
>> > >> a handful of staff which normally gets a few
>> thousand per day.
>> >
>> > W> Am I misreading something, or did you just
>> indicate that a
>> > W> (hopefully rare!) defect in one of your *own*
>> hosting servers
>> > W> cause *your own* MX the grief?
>> >
>> > Where on earth did you get that idea?
>> >
>> > The scenario is this:
>> >
>> > 1) Some spammer (not anywhere near our network)
>> sends out hundreds of
>> > millions of spams using random forged addresses at
>> our domain as the
>> > envelope sender. These are all sent using the
>> usual compromised
>> > enduser hosts. (I've seen indications that some
>> spammers do this
>> > routinely, picking a different domain every week
>> or so.)
>> >
>> > 2) These spams go to millions of mail servers
>> around the world.
>> >
>> > 3) A large fraction of those servers then
>> immediately try and
>> > connect to _our_ MX in order to do one of three
>> things:
>> >
>> > a) send a bounce (everyone agrees this is bad)
>> > b) send a challenge
>> > c) do a sender verify callout
>> >
>> > All of those things look the same to us. (HELO
>> whatever; MAIL FROM:<>;
>> > RCPT TO:<randomstuff@ourdomain>)
>> >
>> > Result: we end up receiving 300+ SMTP connections
>> per sec, from
>> > millions of different IPs all of which are
>> actually mailservers.
>> > Blocking by IP is no help (something like 50% of
>> the traffic last time
>> > was from IPs that made only _one_ connection
>> during the extent of the
>> > attack). There is nothing else to block on since
>> the connections are
>> > not otherwise distinguishable from real traffic.
>> >
>> > --
>> > Andrew, Supernews
>> > http://www.supernews.com
>> >
>> >
>> > --
>> > ## List details at
>> http://www.exim.org/mailman/listinfo/exim-users
>> > ## Exim details at http://www.exim.org/
>> > ## Please use the Wiki with this list -
>> http://www.exim.org/eximwiki/
>> >
>>
>>
>> --
>> ## List details at
>> http://www.exim.org/mailman/listinfo/exim-users
>> ## Exim details at http://www.exim.org/
>> ## Please use the Wiki with this list -
>> http://www.exim.org/eximwiki/
>>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
