[geeks] Surviving a DDoS

der Mouse mouse at Rodents.Montreal.QC.CA
Wed Nov 28 00:28:02 CST 2007


> I got the impression that this was not a blowback from spam for a few
> reasons.  The big clue in my mind is that there was no sender in the
> connections.

> [...from=<>...]

> that's just one example...but in no case was there a sender address
> in the from= field in the e-mail.

That's actually a moderately strong indication that they *are* bounce
blowback.  Correct bounces are *always* sent that way.

> Usually for responses to non-existent individuals who receive spam
> the message sender in the response is usually "postmaster" or
> something equivalent from the domain.

Only in the headers.  The envelope sender (the MAIL From: argument in
the SMTP transaction) for a bounce is required to be <>; anyone who
generates bounces with any other envelope-from is just plain broken
(and is just _asking_ for a white hole when two such systems start
bouncing at one another).

On the other hand, the information you presented about the sending
hosts does tend to point towards a DoS...well, except for the Google
host, which looks to me like an outbound mailhost from the rDNS (for
large mailers, outbound mailhosts are quite often unrelated to inbound
mailhosts).  Your experience upon changing the MX likewise, though to
be sure I'd have to see more information, like the TTL the pre-change
record was distributed with when it was current.

So I'm not sure.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse at rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B



More information about the geeks mailing list