Results 1 to 17 of 17
Thread: How to solve a mail attack?
-
08-30-2007, 01:47 PM #1Junior Guru
- Join Date
- Aug 2004
- Posts
- 242
How to solve a mail attack?
I'd like to know how it's possible to solve this problem: My domain name has an e-mail address that is being forged and used by a spammer, and I get an incredible amount of bounced emails to the point to bring down a Dual-Xeon with 4GB of RAM. This e-mail account has been discontinued and e-mail sent to non-existent accounts is set to be thrown away. The average server load goes through the roof in a few seconds as soon as I point the MX entries to the server. I don't have the money to set up a load-balanced system. What could I do to host this domain name and use e-mail, only allowing emails to existing email accounts?
Thanks.
-
08-30-2007, 02:56 PM #2WHT Addict
- Join Date
- Aug 2007
- Location
- Minneapolis
- Posts
- 111
Forward mail for that account to a blackhole, or equivalently /dev/null so it skips all the spam/anti-virus checks or is this what you actually have? If so, something might be making your MTA work inefficiently.
-
08-30-2007, 02:59 PM #3Junior Guru
- Join Date
- Aug 2004
- Posts
- 242
I already pipe all mail that isn't aimed at existing accounts to /dev/null. Any other idea?
-
08-30-2007, 03:37 PM #4WHT Addict
- Join Date
- Aug 2007
- Location
- Minneapolis
- Posts
- 111
I don't think there is anything else you can do. Approximately how many e-mails per second and exactly what would be "through the roof" load average? Not like 2.0, I hope.
-
08-30-2007, 03:56 PM #5Junior Guru
- Join Date
- Aug 2004
- Posts
- 242
In less than 10 seconds, the server cripples and I lose SSH connection. I see in just a few seconds the load go from 1 to 10, 50, 100, 200, 500, etc... Then it crashes.
-
08-30-2007, 04:04 PM #6WHT Addict
- Join Date
- Aug 2007
- Location
- Minneapolis
- Posts
- 111
It would take quite a lot of e-mail to get a load that high. If you want to run e-mail on that domain, I suggest removing spam and anti-virus scanning software to see if that helps the MTA. If it doesn't, you may be out of luck.
I'd also check that your system is tuned up right and if you have a PATA drive, that it's transferring fast enough. hdparm -t /dev/hda or /dev/sda
-
08-30-2007, 04:31 PM #7Junior Guru Wannabe
- Join Date
- Mar 2004
- Location
- Sweden
- Posts
- 72
put a limit in tcpserver so your server only accepts certen amount of concurrent connections. if you limit on 100 connections the server may handle it. My p4 qmail installation can send out couple of thosands of email in some minutes. What software are you using?
-
08-30-2007, 04:39 PM #8Junior Guru
- Join Date
- Aug 2004
- Posts
- 242
It's a standard cPanel server with RHEL, Exim, etc... The problem limiting to 100 concurrent connections is that you lose legitimate ones.
-
08-30-2007, 05:12 PM #9Junior Guru Wannabe
- Join Date
- Mar 2004
- Location
- Sweden
- Posts
- 72
first of all, why is the server accepting email to none excisting accounts?? This is were you should focus you problem
I had the same problem with qmail before i pathed it.
Set that email server option to :blackhole: With :blackhole: the server will simply drop the e-mails and not waste extra CPU time sending a failed reply. Hopefully this will make your CPU usage drop to an acceptable level and will allow your web host to continue hosting your account.
try google it's your friend. I found this ..
http://www.webhostingtalk.com/showthread.php?t=473272
-
08-31-2007, 04:21 AM #10Web Hosting Master
- Join Date
- Oct 2004
- Location
- Kerala, India
- Posts
- 4,771
calande,
Set SPF record for your domain. www.openspf.org.
Make sure your main server IP has got reverse dns set.
Set default address as :fail:
Find out the IP from which more number of connections are made to your mail server from exim logs and block those IPs.David | www.cliffsupport.com
Affordable Server Management Solutions sales AT cliffsupport DOT com
CliffWebManager | Access WHM from iPhone and Android
-
08-31-2007, 04:38 AM #11Web Hosting Evangelist
- Join Date
- Jun 2006
- Location
- Cluj Napoca
- Posts
- 469
blackhole it's not that good, like david510 posted above, :fail: is what you need to set. Never use catch-all if you do not REALLY need it. spf will help but not that much, there are a LOT of servers that do not check spf. Blocking the ip's it's not a good ideea also, you will only block legitimate servers in 90% cases.
-
08-31-2007, 04:46 AM #12Aspiring Evangelist
- Join Date
- Jul 2006
- Posts
- 413
-
08-31-2007, 04:49 AM #13Web Hosting Evangelist
- Join Date
- Jun 2006
- Location
- Cluj Napoca
- Posts
- 469
If you will use MailScanner of better yet spamassassin and an antivirus and you will get a lot of bounces that will be scanned then you will see a server that will eventually crash. Of course, depends on the amount of RAM, CPU a.s.o
-
08-31-2007, 04:56 AM #14Web Hosting Master
- Join Date
- Oct 2004
- Location
- Kerala, India
- Posts
- 4,771
Mikie4648,
Such load spike happens when there is attack to port 25.David | www.cliffsupport.com
Affordable Server Management Solutions sales AT cliffsupport DOT com
CliffWebManager | Access WHM from iPhone and Android
-
08-31-2007, 06:49 PM #15Junior Guru
- Join Date
- Aug 2004
- Posts
- 242
This domain actually already has an SPF record. I think setting to "fail" is a terrible idea, wasting extra CPU to send bounces, bugging poor people with bounces that they don't care about and worse: adding your own IP to black lists because people report your bounces as spam. Best is "blackhole" IMHO.
-
08-31-2007, 07:15 PM #16Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca
www.HostingSecList.com - Security Notices for the Hosting Community.
-
09-01-2007, 08:26 AM #17Newbie
- Join Date
- Sep 2007
- Posts
- 27
Setting to fail is the correct solution to your problem. It will not waste CPU or send bounces, it will save you a lot of resources. When messages in rejected during the SMTP-transaction the mail is never sent to your server and no bounce is created by your server.
Sending none existing accounts to /dev/null is much more expensive.
If rejecting messages at the transaction level is not enough for your server to keep up with the flow there are more things to do. Start with rejecting mail to unknown addresses and let us know how it goes.