Autor: Ryan Thompson Data: A: exim-users Assumpte: Re: [exim] Problems mitigating joe job
To David, Matthew, Adrian, Phil, and Daniel, many thanks for the extremely
helpful responses. I have implemented the suggestions that seemed to fit
most closely, and the system ran without interruption all weekend, despite a
couple more batches of backscatter from the joe-jobber.
Thanks again,
- R
On Thu, Sep 18, 2008 at 11:17 AM, Ryan Thompson <skcoyote@???> wrote:
> Hi all,
>
> One of my email domains has recently been the (repeat) victim of a fairly
> large-scale joe job. I am seeing thousands of back-scatter bounces for
> addresses like fox1@???, fox2@???, etc. However, when this
> attacker sends out one of their batches, it is enough to run my lightly
> loaded 1GB server out of swap within 3-4 minutes. (At which point I need
> remote hands to do a hard boot, because ssh, login, etc. have been killed by
> the kernel).
>
> So, there are three problems:
>
> 1. Root problem -- the joe job -- Not much to be done about this.
>
> 2. Exim accepting bounces for nonexistent addresses--at the very least
> would like to drop or auto-respond to anything for fox*@???
>
> 3. Exim memory performance -- I have set the following in exim.conf to
> attempt to throttle the queue processing:
>
> queue_run_max = 5
> remote_max_parallel = 1
> queue_smtp_domains = 1
>
> Unfortunately, these do not seem to have had an effect.
>
> As a stop-gap, I made a cron job that runs once a minute and stops exim if
> the load average goes above 15, and then restarts it after the load drops.
> It's not pretty, but it keeps the server alive.
>
> What is the best way to handle this? General or specific answers gratefully
> accepted!
>
> Ryan
>