I've inherited a botnet target
in [Postfix]
|
From: David DeFranco on 26 May 2010 15:53 While you're looking into a way to drop these connections as quickly as possible I would turn down the number of SMTPD processes on your server. That should give your server a break. I'd start at 50 and tune from there. change your master.cf to something like: # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - n - 50 smtpd On Wed, May 26, 2010 at 1:42 PM, Matt Hayes <dominian(a)slackadelic.com> wrote: > On 5/26/2010 3:35 PM, brian wrote: >> On 10-05-26 03:31 PM, Matt Hayes wrote: >>> >>> I wonder if using something like postscreen from the 2.8-snapshots would >>> help to curtail some of the resource usage. >>> >> >> Thanks, I'll check it out. However, I'd feel more optimistic about it if >> it was named prescreen ;-) >> > > > Here's a link with some info on it: > > http://www.postfix.org/postscreen.8.html > > If you look in the ChangeLogs for the latest snapshot of 2.8, Wietse > outlines in there how to get it enabled. It works quite well on my box.. > > -Matt >
From: Noel Jones on 26 May 2010 15:55 On 5/26/2010 2:34 PM, brian wrote: > On 10-05-26 03:24 PM, Ansgar Wiechers wrote: >> On 2010-05-26 Ralf Hildebrandt wrote: >>> Shouldn'T you use at least ONE RBL? >> >> Probably wouldn't hurt, but unless he's trying to fight off spam sent to >> valid users (which according to his description doesn't seem to be the >> case) he could go without as well. > > Correct. The SPAM problem is not directed at legitimate accounts (yet). > All of these rejections are for fictitious accounts under the .com > domain. I don't want to accept anything at all for that domain. However, > I must keep the domain pointed at this new server in order to catch web > traffic and redirect it. > > b > Some random suggestions... Use a bogus MX record for the old domain if that domain has no valid mail recipients. Of course, some bots will connect to your A record anyway... You can use "reject_unlisted_recipient" early in your smtpd_recipient_restrictions to dump connections to bad users early. A later RBL check will only apply to valid recipients. Set smtpd_hard_error_limit to a low number, such as 2, to disconnect clients after just a few errors. Set smtpd_error_sleep_time to 0 to get rid of bad clients without delay. I'll bet the postfix 2.7 "postscreen" feature will get rid of 1/2 or more of the bots before they every talk to you. Postfix 2.7 allows you to specify 521 for the various *_reject_code parameters to signal a disconnect. Increase the max number of smtpd listeners in master.cf to the highest number your memory will allow. -- Noel Jones
From: Noel Jones on 26 May 2010 15:58 On 5/26/2010 2:50 PM, brian wrote: > On 10-05-26 03:43 PM, Ansgar Wiechers wrote: >> On 2010-05-26 brian wrote: >>> On 10-05-26 03:24 PM, Ansgar Wiechers wrote: >>>> On 2010-05-26 Ralf Hildebrandt wrote: >>>>> Shouldn'T you use at least ONE RBL? >>>> >>>> Probably wouldn't hurt, but unless he's trying to fight off spam sent >>>> to valid users (which according to his description doesn't seem to be >>>> the case) he could go without as well. >>> >>> Correct. The SPAM problem is not directed at legitimate accounts >>> (yet). All of these rejections are for fictitious accounts under the >>> .com domain. I don't want to accept anything at all for that domain. >>> However, I must keep the domain pointed at this new server in order to >>> catch web traffic and redirect it. >> >> So all of the rejected mails are for example.com, but you now use >> example.org instead? Your first mail sounded like there were arbitrary >> destination domains, not just the .com domain you want to move away >> from. >> >> If you don't need to accept any mail for example.com, you may want to >> remove the MX record(s) for that domain (in case you haven't done that >> already). Redirecting web traffic will work just fine without them. > > Right, this was a forehead-slapper for me a couple of hours ago. But > then I realised that I'd already explicitly removed the MX for the .com > domain weeks ago when first setting up the new server. There's only the > A records, CN, and NS. I can't figure that out. > Removing the MX record isn't enough; you need to create a bogus MX record. ie. example.com MX 10 dev.null. RFCmumble specifies that in the absence of an MX record, the A record should be used. -- Noel Jones
From: brian on 26 May 2010 16:12 On 10-05-26 03:55 PM, Noel Jones wrote: > > Some random suggestions... > > Use a bogus MX record for the old domain if that domain has no valid > mail recipients. Of course, some bots will connect to your A record > anyway... OK, I like the sound of that. Per your other email, I think I did, a long time ago, learn about A being used in the absence of an MX. That seems familiar now. Thanks for the tip. > You can use "reject_unlisted_recipient" early in your > smtpd_recipient_restrictions to dump connections to bad users early. A > later RBL check will only apply to valid recipients. > > Set smtpd_hard_error_limit to a low number, such as 2, to disconnect > clients after just a few errors. > > Set smtpd_error_sleep_time to 0 to get rid of bad clients without delay. I'll give all that a try. Does this order seem alright? smtpd_recipient_restrictions = permit_mynetworks, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unauth_destination, reject_unknown_recipient_domain, reject_unauth_pipelining > I'll bet the postfix 2.7 "postscreen" feature will get rid of 1/2 or > more of the bots before they every talk to you. > > Postfix 2.7 allows you to specify 521 for the various *_reject_code > parameters to signal a disconnect. I've just been having a look at that. It does seem to be something very useful in this situation. But, maybe the bogus MX will solve my problems. > Increase the max number of smtpd listeners in master.cf to the highest > number your memory will allow. What's the best way of determining that?
From: Ralf Hildebrandt on 26 May 2010 16:18
* brian <postfix-list(a)logi.ca>: > Correct. The SPAM problem is not directed at legitimate accounts > (yet). All of these rejections are for fictitious accounts under the > .com domain. I don't want to accept anything at all for that domain. > However, I must keep the domain pointed at this new server in order > to catch web traffic and redirect it. So set a fake MX record pointing to localhost -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt(a)charite.de | http://www.charite.de |