Re: [exim] Problems mitigating joe job

Top Page
Delete this message
Reply to this message
Author: Daniel Collis-Puro
Date:  
To: Ryan Thompson
CC: exim-users
Subject: Re: [exim] Problems mitigating joe job
Ryan Thompson wrote:
> Hi all,
>
> One of my email domains has recently been the (repeat) victim of a fairly
> large-scale joe job. I am seeing thousands of back-scatter bounces for
> addresses like fox1@???, fox2@???, etc. However, when this
> attacker sends out one of their batches, it is enough to run my lightly
> loaded 1GB server out of swap within 3-4 minutes. (At which point I need
> remote hands to do a hard boot, because ssh, login, etc. have been killed by
> the kernel).
>
> So, there are three problems:
>
> 1. Root problem -- the joe job -- Not much to be done about this.
>
> 2. Exim accepting bounces for nonexistent addresses--at the very least would
> like to drop or auto-respond to anything for fox*@???
>


Can you implement recipient verification? No sense in accepting mail you
can't route.

I'll probably get crap for this, but I have anti-joe job acls in place
that temp rejects mail from hosts that send to too many invalid
recipients in 30 minutes. I'm relying on legitimate senders not being
backscatter sources, I know, but temp rejecting and list cleaning via a
cron job has made this really effective for us. It absolutely requires
recipient verification.

--DJCP

--
-**---****-----******-------********---------**********
Daniel Collis-Puro
Software Engineer
End Point Corp.
dan@???
(office) 781-477-0885
**********---------********-------******-----****---**-