Auteur: Matt Date: À: Exim Mailing List Sujet: Re: [exim] Problems mitigating joe job
> One of my email domains has recently been the (repeat) victim of a fairly > large-scale joe job. I am seeing thousands of back-scatter bounces for
> addresses like fox1@???, fox2@???, etc. However, when this
> attacker sends out one of their batches, it is enough to run my lightly
> loaded 1GB server out of swap within 3-4 minutes. (At which point I need
> remote hands to do a hard boot, because ssh, login, etc. have been killed by
> the kernel).
Do you have SPF records setup? Will make it less likely to joe job
you if most there messages will go to a spam folder. Every little bit
helps.
Matt
> So, there are three problems:
>
> 1. Root problem -- the joe job -- Not much to be done about this.
>
> 2. Exim accepting bounces for nonexistent addresses--at the very least would
> like to drop or auto-respond to anything for fox*@???
>
> 3. Exim memory performance -- I have set the following in exim.conf to
> attempt to throttle the queue processing:
>
> queue_run_max = 5
> remote_max_parallel = 1
> queue_smtp_domains = 1
>
> Unfortunately, these do not seem to have had an effect.
>
> As a stop-gap, I made a cron job that runs once a minute and stops exim if
> the load average goes above 15, and then restarts it after the load drops.
> It's not pretty, but it keeps the server alive.
>
> What is the best way to handle this? General or specific answers gratefully
> accepted!
>
> Ryan