Re: SMTP DDoS

[stephane nasdrovisky <stephane.nasdrovisky () uniway be>]

A customer suffered from this kind of ndr flooding 2 years ago. All its 
valid email addresses where looking like "x.y () x com". Rejecting any mail 
sent to "x () x com" but "info () x com" and "sales () x com" at the firewall 
level saved their bandwidth and administration overhead. I guess that's 
the kind of filter you already have implemented ? If the forged from 
address is one of your valid email addresses, chances are you'll have to 
call the police department.
Anti-spam email client (netscape 7.1/mozilla 1.4) or anti-spam server 
based on bayasian filtering could filter out most of these ndr flood. 
Unfortunatly, it would not save your bandwidth.

Our customer faced this issue a few time after buying a foreign company 
and the flood was about 100 mails per second. It lasted about 6 months.

Kip Sr. wrote:

> For the past 10 days, our mail exchange server has
> been getting flooded with emails. It appears that an
> attacker is sending out tons of spam through various
> open relays and using our address
> (sales () mycompany com) in the return path. so
> essentially, all bounced emails are coming back to our
> mail server - we're seeing about 30,000 NDRs per day.
> I am using filters to delete the incoming email, but
> does anyone else have any other ideas on how to get
> this stopped? Since the NDRs are coming from
> legitimate sources, checking for open relays wont do
> me any good. 
>
>  



---------------------------------------------------------------------------
----------------------------------------------------------------------------