I've inherited a botnet target
in [Postfix]
|
From: Ralf Hildebrandt on 26 May 2010 16:21 * brian <postfix-list(a)logi.ca>: > On 10-05-26 03:31 PM, Matt Hayes wrote: > > > >I wonder if using something like postscreen from the 2.8-snapshots would > >help to curtail some of the resource usage. > > > > Thanks, I'll check it out. However, I'd feel more optimistic about it > if it was named prescreen ;-) It's postfix, not prefix. But then -- postscreen is using an RBL... -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt(a)charite.de | http://www.charite.de
From: Ralf Hildebrandt on 26 May 2010 16:23 * "Jan-Kaspar Münnich" <lists(a)jan-muennich.de>: > In general RBLs work fine against these dictionary attacks. But in this > special case where not one address exists at the targeted domain, I > doubt that RBLs would decrease server load, since that would add one > more DNS lookup. I wouldn't see a big problem there, even thousands of > 554s normally don't stress Postfix too much. * One could also turn off postfix. * Or disable smtpd * Or (if there's a spare IP) point the mx to the spare IP and run smtp-sink there! -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt(a)charite.de | http://www.charite.de
From: Wietse Venema on 26 May 2010 16:24 Jan-Kaspar M�nnich: > On 26.05.2010, at 21:01, Matt Hayes wrote: > > >> Is there > >> something more I can do to mitigate the stress on the server? > > > > You could look into using RBLs such as spamhaus etc. > > In general RBLs work fine against these dictionary attacks. But > in this special case where not one address exists at the targeted > domain, I doubt that RBLs would decrease server load, since that > would add one more DNS lookup. I wouldn't see a big problem there, > even thousands of 554s normally don't stress Postfix too much. With postscreen (Postfix 2.8) RBL lookup happens before SMTPD so it takes away system load. Wietse
From: Matt Hayes on 26 May 2010 16:28 On 5/26/2010 4:21 PM, Ralf Hildebrandt wrote: > * brian <postfix-list(a)logi.ca>: >> On 10-05-26 03:31 PM, Matt Hayes wrote: >>> >>> I wonder if using something like postscreen from the 2.8-snapshots would >>> help to curtail some of the resource usage. >>> >> >> Thanks, I'll check it out. However, I'd feel more optimistic about it >> if it was named prescreen ;-) > > It's postfix, not prefix. > But then -- postscreen is using an RBL... > postscreen doesn't require you to use RBL's during its checks, however, you have the ability to do so. The nice thing about doing RBL checks in postscreen is it stops connections from getting to the SMTPD, thus reducing system load. -matt
From: Ralf Hildebrandt on 26 May 2010 16:32
* Matt Hayes <dominian(a)slackadelic.com>: > postscreen doesn't require you to use RBL's during its checks, Ah yes, the earlytalking and all. > however, you have the ability to do so. The nice thing about doing RBL > checks in postscreen is it stops connections from getting to the SMTPD, > thus reducing system load. That's how I'm using it here. It's amazing :) -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt(a)charite.de | http://www.charite.de |