[geeks] Surviving a DDoS
Michael Parson
mparson at bl.org
Wed Nov 28 12:22:36 CST 2007
On Tue, 27 Nov 2007, Ido Dubrawsky wrote:
<snip>
> Another example would be something like:
>
> Nov 24 18:39:07 sauron postfix/smtpd[693]: [ID 197553 mail.info] NOQUEUE:
> reject: RCPT from CPE-76-178-124-43.natsow.res.rr.com[76.178.124.43]: 450
> 4.7.1 <goins-mail1.goins.local>: Helo command rejected: Host not found;
> from=<> to=<asanders at siliconsec.com> proto=SMTP
> helo=<goins-mail1.goins.local>
>
> Notice the address: CPE-76-178-124-74.natsow.res.rr.com. That's
> a RoadRunner cable domain and it's residential. Last I recall,
> RoadRunner does not allow you to run a mail server from their
> residential service networks and actually blocks inbound SMTP to the
> res.rr.com domain. Doesn't mean you can't run a mail server on that
> domain but typical inbound mail is blocked and you can still spam
> outbound from there.
One of the more recent things I've done for my mail server is install
milter-regex, which lets me do regex matches on the connections and
refuse mail from things I don't like. I then found a list somewhere of
dynamic IP (sub) domains and the like and refuse mail from dynamic IPs.
I've got 407 lines in my milter-regex config, I'm sure if my regex-fu
was better, I could slim it down a little, but it has cut way back on
the mail sent by the zombie-nets from home users.
--
Michael Parson
mparson at bl.org
More information about the geeks
mailing list