[TriLUG] Re: [Maia-users] Mail attack....

Brian McCullough bdmc at bdmcc-us.com
Mon Aug 21 00:06:04 EDT 2006


Tanner suggested that I bring the following message that I found in the
Maia-Users mailing list to the attention of all of the Postfix users in
the group, including the TriLUG sysadmins.

Brian



> ----- Forwarded message from Stephen Carter <Stephen at retnet.co.uk> -----
>
> >>> "Ryan Delany" <ryan at rynogear.com> 08/19/06 9:32 PM >>>
> >Stephen,
> >
> >The reason the messages were getting retried over and over again was
> >because the Maia box in this case was 450'ing the connections, and since
> >the spam was coming from legit mail servers (not directly from the
> >bot- infected machines), then according to RFC, the mail servers MUST
> >attempt re- delivery for a specific number of times or for a specified time
> >period.  The important thing to note is that today's bot viruses are
> >designed better than in years past as they rely on the legit mail server
> >for the ISP that the owner of the infected PC uses, instead of trying to
> >spread directly from a built- in SMTP server.  I'm sure if you nslookup the
> >IP addresses listed in the initial email, you will find the majority of
> >them are legitimate mail servers behaving according to RFC as they are
> >supposed to.  I suspect the main reason for this behaviour is the increase
> >in ISPs blocking port 25 (since it violates the TOS for at least every ISP
> >in the US), which would render a bot dead in it's tracks.  If the bot uses
> >the actual mail server for the ISP, it will be much more successful in
> >spreading since port 25 won't be blocked, and the mail servers will handle
> >the burden of re- sending as necessary.
> >
> >The reason I use the verification caching db is to remain persistent
> >across restarts, as a couple of the domains I filter for get constant
> >dictionary attacks.  You are correct, postfix will maintain it's own db in
> >memory until you restart postfix, but then you have to start all over.  So
> >far in the last month, my verify db file has grown to about 48MB.  I don't
> >consider that a huge amount of disk space, considering I have 245GB free
> >at the moment.  Naturally, I keep an eye on the file and if it grows too
> >big, I can easily turn it off.  Not to mention there is also some
> >self- cleaning that happens in the verify db, so I don't anticipate it
> >growing much larger than 50MB.
> >
> >Ryan
>
> All very healthy and valid discussion...
>
> Regarding the verification database, I think for the sake of 50Mb - I agree that tens of Mb's aren't even worth worrying about in most cases - I might take a look at implementing that option as well. It's a small advantage for my site, but also a small enough change that i'll give it a shot anyway.
>
> Stephen Carter
> Retrac Networking Limited
> www: http://www.retnet.co.uk
> Ph: +44 (0)7870 218 693
> Fax: +44 (0)870 7060 056
> CNA, CNE 6, CNS, CCNA, MCSE 2003
>
> _______________________________________________
> Maia-users mailing list
> Maia-users at renaissoft.com
> http://www.renaissoft.com/mailman/listinfo/maia-users
>
> ----- End forwarded message -----



More information about the TriLUG mailing list