Quoting Matthieu Herrb <matthieu.herrb@...>: > Jacques Beigbeder wrote: > > Hello, > > > > Last week, I installed milter-greylist for some email addresses. > > Last night, the file /var/milter-greylist/greylist.db displays: > > > > ---------------------- Sample 1 ----------------------------------- > > [ .... ] > > 222.136.25.31 <virginia@...> <xxxx.xxxxxxxx@...> > 1085536020 # 2004-05-26 03:47:00 > > 24.60.250.191 <ssu@...> <xxxx.xxxxxxxx@...> > 1085536023 # 2004-05-26 03:47:03 > > 24.98.118.46 <derrek@...> <xxxx.xxxxxxxx@...> > 1085536025 # 2004-05-26 03:47:05 > > [ .... ] > > ---------------------- Sample 2 ----------------------------------- > > 200.53.248.142 <libpcap@...> <yyyyyy@...> > 1085544283 # 2004-05-26 06:04:43 > > 24.16.253.21 <tudor@...> <yyyyyy@...> > 1085544284 # 2004-05-26 06:04:44 > > 24.157.153.40 <cmsg@...> <yyyyyy@...> > 1085544361 # 2004-05-26 06:06:01 > > 24.159.241.11 <orlandini@...> <yyyyyy@...> > 1085544364 # 2004-05-26 06:06:04 > > 200.82.47.94 <Soille@...> <yyyyyy@...> > 1085544372 # 2004-05-26 06:06:12 > > 24.128.119.17 <Qobi@...> <yyyyyy@...> > 1085544378 # 2004-05-26 06:06:18 > > 24.14.26.219 <jamesm@...> <yyyyyy@...> > 1085544379 # 2004-05-26 06:06:19 > > 218.48.37.81 <abiword_bugs@...> <yyyyyy@...> > 1085544384 # 2004-05-26 06:06:24 > > 24.130.151.178 <snowhare@...> <yyyyyy@...> > 1085544388 # 2004-05-26 06:06:28 > > [ ... 600 lines deleted : from 06:04:43 to 07:10:23 ] > > > > Here 600 is a big number, but VERY OFTEN I have 20-30 connections in > > 2 minutes for a SINGLE destination, but from 20-30 differents IP > > and differents From:. > > > > My interpretation: a spammer wants to send something to <yyyyyy@...>, > > it fails from 200.53.248.142 / <libpcap@...>, and so he retries > > from another PC within a pool of "relays", and so on. > > > > So there are 2 denies of service: > > . large amount of SMTP connections in a short time (= fork with sendmail); > > . large amount of data collected in the greylist database. > > I've seen that too. I've ended up with > > dnl Max connexions par secondes > define(confCONNECTION_RATE_THROTTLE,`10') > > in my sendmail.mc to limit the impact of such attacks/spam farms behaviour. > This kind of DoS occurs not only with grey-listing but also with use of blacklists at the sendmail level. Now some spammers seems to do retry from other IPs when getting a 4xx or 5xx SMTP reject code (they seem to have some distributed sending robots). They also often use a different FROM: email address each time. Connection rate control (globally or on a per IP/network basis - only in sendmail 8.13beta2) helps but It's getting more and more difficult to fight them - I see more and more spam coming from some IPs not yet listed in serious blacklists). Stephane --- http://milter.free.fr/intro/
Message
Re: [milter-greylist] is this a DoS?
2004-05-26 by milter@free.fr