[exim] Problems mitigating joe job

Top Page
Delete this message
Reply to this message
Author: Ryan Thompson
Date:  
To: exim-users
Subject: [exim] Problems mitigating joe job
Hi all,

One of my email domains has recently been the (repeat) victim of a fairly
large-scale joe job. I am seeing thousands of back-scatter bounces for
addresses like fox1@???, fox2@???, etc. However, when this
attacker sends out one of their batches, it is enough to run my lightly
loaded 1GB server out of swap within 3-4 minutes. (At which point I need
remote hands to do a hard boot, because ssh, login, etc. have been killed by
the kernel).

So, there are three problems:

1. Root problem -- the joe job -- Not much to be done about this.

2. Exim accepting bounces for nonexistent addresses--at the very least would
like to drop or auto-respond to anything for fox*@???

3. Exim memory performance -- I have set the following in exim.conf to
attempt to throttle the queue processing:

queue_run_max = 5
remote_max_parallel = 1
queue_smtp_domains = 1

Unfortunately, these do not seem to have had an effect.

As a stop-gap, I made a cron job that runs once a minute and stops exim if
the load average goes above 15, and then restarts it after the load drops.
It's not pretty, but it keeps the server alive.

What is the best way to handle this? General or specific answers gratefully
accepted!

Ryan