I've inherited a botnet target
in [Postfix]
|
From: brian on 26 May 2010 14:53 I've a hunch that the following problem is not something that can be configured away through postfix but, as I'm well aware that my config-fu is not the strongest, I'd like any advice more experience among you might have. I'm sure this isn't a rare problem. I recently began supporting the website for a small organisation. One change I suggested was to utilise a .org domain rather than .com (not due to any trouble but simply because they're a non-comercial organisation). The old domain points to this new server in order to redirect web traffic. AFAIK, there were never any email addresses used under the old domain. But, now I've set up postfix, I'm seeing thousands of failed attempts to send to various fictitious DOMAIN.com addresses. These are properly being blocked 554/relay access denied. I've installed fail2ban, which seems to help. However, I'm still seeing several attempts a second as the sender IP is changed. Is there something more I can do to mitigate the stress on the server? FWIW, aside from aliases for the usual postmaster, abuse, and webmaster addresses, this domain has just 2 actual addresses to be maintained. So, might a whitelist approach be the way to go? Or, is this something i should leave to iptables/fail2ban? myhostname = demeter.DOMAIN.org mydomain = DOMAIN.org myorigin = $mydomain alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
From: Matt Hayes on 26 May 2010 15:01 On 5/26/2010 2:53 PM, brian wrote: > I've a hunch that the following problem is not something that can be > configured away through postfix but, as I'm well aware that my config-fu > is not the strongest, I'd like any advice more experience among you > might have. I'm sure this isn't a rare problem. > > I recently began supporting the website for a small organisation. One > change I suggested was to utilise a .org domain rather than .com (not > due to any trouble but simply because they're a non-comercial > organisation). The old domain points to this new server in order to > redirect web traffic. AFAIK, there were never any email addresses used > under the old domain. But, now I've set up postfix, I'm seeing thousands > of failed attempts to send to various fictitious DOMAIN.com addresses. > These are properly being blocked 554/relay access denied. > > I've installed fail2ban, which seems to help. However, I'm still seeing > several attempts a second as the sender IP is changed. Is there > something more I can do to mitigate the stress on the server? > > FWIW, aside from aliases for the usual postmaster, abuse, and webmaster > addresses, this domain has just 2 actual addresses to be maintained. So, > might a whitelist approach be the way to go? Or, is this something i > should leave to iptables/fail2ban? > > myhostname = demeter.DOMAIN.org > mydomain = DOMAIN.org > myorigin = $mydomain > alias_maps = hash:/etc/aliases > alias_database = hash:/etc/aliases > mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost > relayhost = > mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 > smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination You could look into using RBLs such as spamhaus etc. -Matt
From: Ralf Hildebrandt on 26 May 2010 15:03 * brian <postfix-list(a)logi.ca>: > organisation). The old domain points to this new server in order to > redirect web traffic. AFAIK, there were never any email addresses > used under the old domain. But, now I've set up postfix, I'm seeing > thousands of failed attempts to send to various fictitious DOMAIN.com > addresses. These are properly being blocked 554/relay access denied. Which domain is the old one, which is the new one? > myhostname = demeter.DOMAIN.org > mydomain = DOMAIN.org > myorigin = $mydomain > alias_maps = hash:/etc/aliases > alias_database = hash:/etc/aliases > mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost > relayhost = > mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 > smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination Shouldn'T you use at least ONE RBL? E.g.: smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination reject_rbl_client zen.spamhaus.org -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt(a)charite.de | http://www.charite.de
From: Ansgar Wiechers on 26 May 2010 15:21 On 2010-05-26 brian wrote: > I've a hunch that the following problem is not something that can be > configured away through postfix but, as I'm well aware that my > config-fu is not the strongest, I'd like any advice more experience > among you might have. I'm sure this isn't a rare problem. > > I recently began supporting the website for a small organisation. One > change I suggested was to utilise a .org domain rather than .com (not > due to any trouble but simply because they're a non-comercial > organisation). The old domain points to this new server in order to > redirect web traffic. AFAIK, there were never any email addresses used > under the old domain. But, now I've set up postfix, I'm seeing > thousands of failed attempts to send to various fictitious DOMAIN.com > addresses. These are properly being blocked 554/relay access denied. The connections are being rejected, so unless your server resources are being exhausted by the delivery attempts I don't think you have to worry about it. > I've installed fail2ban, which seems to help. However, I'm still > seeing several attempts a second as the sender IP is changed. Is > there something more I can do to mitigate the stress on the server? Of course you can utilize something like fail2ban to already block connections at the network layer. However, since your Postfix seems to be doing just fine, there's no real need for that. > FWIW, aside from aliases for the usual postmaster, abuse, and > webmaster addresses, this domain has just 2 actual addresses to be > maintained. So, might a whitelist approach be the way to go? Or, is > this something i should leave to iptables/fail2ban? I think you should just leave it to Postfix. > myhostname = demeter.DOMAIN.org > mydomain = DOMAIN.org > myorigin = $mydomain > alias_maps = hash:/etc/aliases > alias_database = hash:/etc/aliases > mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost > relayhost = > mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 > smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination I usually recommend to add local_recipient_maps = $alias_maps and add explicit mappings for those local users that should be able to receive mail. Otherwise your Postfix will accept mail for any local user account on the system. Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky
From: =?iso-8859-1?Q?Jan-Kaspar_M=FCnnich?= on 26 May 2010 15:23
On 26.05.2010, at 21:01, Matt Hayes wrote: >> Is there >> something more I can do to mitigate the stress on the server? > > You could look into using RBLs such as spamhaus etc. In general RBLs work fine against these dictionary attacks. But in this special case where not one address exists at the targeted domain, I doubt that RBLs would decrease server load, since that would add one more DNS lookup. I wouldn't see a big problem there, even thousands of 554s normally don't stress Postfix too much. Jan-Kaspar |