Results 1 to 17 of 17
  1. #1
    Join Date
    Aug 2004
    Posts
    242

    How to solve a mail attack?

    I'd like to know how it's possible to solve this problem: My domain name has an e-mail address that is being forged and used by a spammer, and I get an incredible amount of bounced emails to the point to bring down a Dual-Xeon with 4GB of RAM. This e-mail account has been discontinued and e-mail sent to non-existent accounts is set to be thrown away. The average server load goes through the roof in a few seconds as soon as I point the MX entries to the server. I don't have the money to set up a load-balanced system. What could I do to host this domain name and use e-mail, only allowing emails to existing email accounts?
    Thanks.

  2. #2
    Join Date
    Aug 2007
    Location
    Minneapolis
    Posts
    111
    Forward mail for that account to a blackhole, or equivalently /dev/null so it skips all the spam/anti-virus checks or is this what you actually have? If so, something might be making your MTA work inefficiently.

  3. #3
    Join Date
    Aug 2004
    Posts
    242
    I already pipe all mail that isn't aimed at existing accounts to /dev/null. Any other idea?

  4. #4
    Join Date
    Aug 2007
    Location
    Minneapolis
    Posts
    111
    I don't think there is anything else you can do. Approximately how many e-mails per second and exactly what would be "through the roof" load average? Not like 2.0, I hope.

  5. #5
    Join Date
    Aug 2004
    Posts
    242
    In less than 10 seconds, the server cripples and I lose SSH connection. I see in just a few seconds the load go from 1 to 10, 50, 100, 200, 500, etc... Then it crashes.

  6. #6
    Join Date
    Aug 2007
    Location
    Minneapolis
    Posts
    111
    It would take quite a lot of e-mail to get a load that high. If you want to run e-mail on that domain, I suggest removing spam and anti-virus scanning software to see if that helps the MTA. If it doesn't, you may be out of luck.

    I'd also check that your system is tuned up right and if you have a PATA drive, that it's transferring fast enough. hdparm -t /dev/hda or /dev/sda

  7. #7
    Join Date
    Mar 2004
    Location
    Sweden
    Posts
    72
    put a limit in tcpserver so your server only accepts certen amount of concurrent connections. if you limit on 100 connections the server may handle it. My p4 qmail installation can send out couple of thosands of email in some minutes. What software are you using?

  8. #8
    Join Date
    Aug 2004
    Posts
    242
    It's a standard cPanel server with RHEL, Exim, etc... The problem limiting to 100 concurrent connections is that you lose legitimate ones.

  9. #9
    Join Date
    Mar 2004
    Location
    Sweden
    Posts
    72
    first of all, why is the server accepting email to none excisting accounts?? This is were you should focus you problem
    I had the same problem with qmail before i pathed it.

    Set that email server option to :blackhole: With :blackhole: the server will simply drop the e-mails and not waste extra CPU time sending a failed reply. Hopefully this will make your CPU usage drop to an acceptable level and will allow your web host to continue hosting your account.

    try google it's your friend. I found this ..
    http://www.webhostingtalk.com/showthread.php?t=473272

  10. #10
    Join Date
    Oct 2004
    Location
    Kerala, India
    Posts
    4,771
    calande,

    Set SPF record for your domain. www.openspf.org.
    Make sure your main server IP has got reverse dns set.
    Set default address as :fail:
    Find out the IP from which more number of connections are made to your mail server from exim logs and block those IPs.
    David | www.cliffsupport.com
    Affordable Server Management Solutions sales AT cliffsupport DOT com
    CliffWebManager | Access WHM from iPhone and Android

  11. #11
    Join Date
    Jun 2006
    Location
    Cluj Napoca
    Posts
    469
    blackhole it's not that good, like david510 posted above, :fail: is what you need to set. Never use catch-all if you do not REALLY need it. spf will help but not that much, there are a LOT of servers that do not check spf. Blocking the ip's it's not a good ideea also, you will only block legitimate servers in 90% cases.
    IntoDNS - Check your DNS health and configuration
    FLEIO - OpenStack billing and control panel for service providers

  12. #12
    Quote Originally Posted by calande View Post
    In less than 10 seconds, the server cripples and I lose SSH connection. I see in just a few seconds the load go from 1 to 10, 50, 100, 200, 500, etc... Then it crashes.
    Are you 100% positive that mail is the only load here? Seems like there are other things involved here. For eg, iv never seen a box crash due to bounces. Yes iv seen loads go skyhigh but 100, 200, 500 well this is more of a DOS than anything i think.

  13. #13
    Join Date
    Jun 2006
    Location
    Cluj Napoca
    Posts
    469
    If you will use MailScanner of better yet spamassassin and an antivirus and you will get a lot of bounces that will be scanned then you will see a server that will eventually crash. Of course, depends on the amount of RAM, CPU a.s.o
    IntoDNS - Check your DNS health and configuration
    FLEIO - OpenStack billing and control panel for service providers

  14. #14
    Join Date
    Oct 2004
    Location
    Kerala, India
    Posts
    4,771
    Mikie4648,

    Such load spike happens when there is attack to port 25.
    David | www.cliffsupport.com
    Affordable Server Management Solutions sales AT cliffsupport DOT com
    CliffWebManager | Access WHM from iPhone and Android

  15. #15
    Join Date
    Aug 2004
    Posts
    242
    This domain actually already has an SPF record. I think setting to "fail" is a terrible idea, wasting extra CPU to send bounces, bugging poor people with bounces that they don't care about and worse: adding your own IP to black lists because people report your bounces as spam. Best is "blackhole" IMHO.

  16. #16
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Quote Originally Posted by Mikie4648 View Post
    For eg, iv never seen a box crash due to bounces.
    Just wait until someone sets up a catch-all address along with a few misguided auto-responders followed by a large (SPAM) botnet attack.

    Good times.
    RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca

    www.HostingSecList.com - Security Notices for the Hosting Community.

  17. #17
    Quote Originally Posted by calande View Post
    This domain actually already has an SPF record. I think setting to "fail" is a terrible idea, wasting extra CPU to send bounces, bugging poor people with bounces that they don't care about and worse: adding your own IP to black lists because people report your bounces as spam. Best is "blackhole" IMHO.
    Setting to fail is the correct solution to your problem. It will not waste CPU or send bounces, it will save you a lot of resources. When messages in rejected during the SMTP-transaction the mail is never sent to your server and no bounce is created by your server.
    Sending none existing accounts to /dev/null is much more expensive.

    If rejecting messages at the transaction level is not enough for your server to keep up with the flow there are more things to do. Start with rejecting mail to unknown addresses and let us know how it goes.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •