Hill Ruyter wrote:
> Hi
>
> does this mean I am not welcome any more?
>
> no problem
> you can remove my address
>
>
> Hill
>
Got three of those 'direct' myself, and NOT to the addrsss I post to *this* list
from, and I have no record of any prior correspndence with that address.
Some poor bloke working for a Parochial School in the US has apparently had his
WinWOES box infected.
Bill
>
> ----- Original Message -----
> From: "Martin Sellner" <rwsellner@???>
> To: "Hill Ruyter" <hill@???>
> Sent: Friday, October 20, 2006 9:52 PM
> Subject: remove my address
>
>
>
>>
>>--- Hill Ruyter <hill@???> wrote:
>>
>>
>>>Hi
>>>
>>>I will just throw in a non-SMTP solution here
>>>
>>>If you treat this sudden peak in traffic hitting
>>>your servers as a DDOS to
>>>your infrastructure then the best place to stop it
>>>is at the ingress to your
>>>network. So you have the firewall do one or more of
>>>a number of things
>>>
>>>Limit the number of concurrent SMTP sessions fro
>>>anywhere to your mail
>>>servers
>>>Limit the number of new SMTP sessions per second
>>>Limit the number of SMTP sessions from a single IP
>>>Limit the amount of bandwidth SMTP can consume on
>>>the network
>>>
>>>Yes I know that this will be indiscriminate. It will
>>>drop a large proportion
>>>of legitimate mail
>>>However as you said many of the spam servers only
>>>make a single connection
>>>then go away and you can rest assured that if some
>>>legitimate mail was
>>>blocked by the firewall it will be re-sent and
>>>arrive in due course if not
>>>immediately upon initial transmission
>>>
>>>It seems to me that the problem you described is not
>>>about resources used by
>>>the particular purpose of the connection made to
>>>your servers but rather
>>>the sheer volume of connections so in fact the
>>>reason for your servers
>>>failing was not as much the processing overhead in
>>>dealing with the messages
>>>but rather the swamped I/O of the servers/OS
>>>
>>>
>>>What I suggest from a purely agnostic point of view
>>>having read the
>>>arguments is that you guys get together and do a
>>>little test
>>>One guy sets up a server and all the others first
>>>hit it with bounces and
>>>then hit it with callouts and the results of the
>>>resource statistics are
>>>published for comment. Otherwise I see this argument
>>>going round in circles
>>>until we all figure out that so much time has passed
>>>something not yet
>>>thought of has completely replaced SMTP
>>>
>>>Yours
>>>Hill Ruyter
>>>
>>>----- Original Message -----
>>>From: "Andrew - Supernews" <andrew@???>
>>>To: "exim users" <exim-users@???>
>>>Sent: Wednesday, October 18, 2006 3:14 PM
>>>Subject: Re: [exim] UCEPROTECT Blacklists and why
>>>callouts are abusive
>>>
>>>
>>>
>>>>>>>>>"W" == W B Hacker <wbh@???> writes:
>>>>
>>>>>>That 99.99% peak figure was reached here during
>>>
>>>a period of a few
>>>
>>>>>>hours during which we received more than _10
>>>
>>>million_ connection
>>>
>>>>>>attempts caused by blowback of all forms, at a
>>>
>>>domain used only by
>>>
>>>>>>a handful of staff which normally gets a few
>>>
>>>thousand per day.
>>>
>>>>W> Am I misreading something, or did you just
>>>
>>>indicate that a
>>>
>>>>W> (hopefully rare!) defect in one of your *own*
>>>
>>>hosting servers
>>>
>>>>W> cause *your own* MX the grief?
>>>>
>>>>Where on earth did you get that idea?
>>>>
>>>>The scenario is this:
>>>>
>>>>1) Some spammer (not anywhere near our network)
>>>
>>>sends out hundreds of
>>>
>>>>millions of spams using random forged addresses at
>>>
>>>our domain as the
>>>
>>>>envelope sender. These are all sent using the
>>>
>>>usual compromised
>>>
>>>>enduser hosts. (I've seen indications that some
>>>
>>>spammers do this
>>>
>>>>routinely, picking a different domain every week
>>>
>>>or so.)
>>>
>>>>2) These spams go to millions of mail servers
>>>
>>>around the world.
>>>
>>>>3) A large fraction of those servers then
>>>
>>>immediately try and
>>>
>>>>connect to _our_ MX in order to do one of three
>>>
>>>things:
>>>
>>>> a) send a bounce (everyone agrees this is bad)
>>>> b) send a challenge
>>>> c) do a sender verify callout
>>>>
>>>>All of those things look the same to us. (HELO
>>>
>>>whatever; MAIL FROM:<>;
>>>
>>>>RCPT TO:<randomstuff@ourdomain>)
>>>>
>>>>Result: we end up receiving 300+ SMTP connections
>>>
>>>per sec, from
>>>
>>>>millions of different IPs all of which are
>>>
>>>actually mailservers.
>>>
>>>>Blocking by IP is no help (something like 50% of
>>>
>>>the traffic last time
>>>
>>>>was from IPs that made only _one_ connection
>>>
>>>during the extent of the
>>>
>>>>attack). There is nothing else to block on since
>>>
>>>the connections are
>>>
>>>>not otherwise distinguishable from real traffic.
>>>>
>>>>--
>>>>Andrew, Supernews
>>>>http://www.supernews.com
>>>>
>>>>
>>>>--
>>>>## List details at
>>>
>>>http://www.exim.org/mailman/listinfo/exim-users
>>>
>>>>## Exim details at http://www.exim.org/
>>>>## Please use the Wiki with this list -
>>>
>>>http://www.exim.org/eximwiki/
>>>
>>>
>>>--
>>>## List details at
>>>http://www.exim.org/mailman/listinfo/exim-users
>>>## Exim details at http://www.exim.org/
>>>## Please use the Wiki with this list -
>>>http://www.exim.org/eximwiki/
>>>
>>
>>
>>__________________________________________________
>>Do You Yahoo!?
>>Tired of spam? Yahoo! Mail has the best spam protection around
>>http://mail.yahoo.com
>>
>
>