[geeks] Surviving a DDoS
Shannon Hendrix
shannon at widomaker.com
Wed Nov 28 13:42:03 CST 2007
On Nov 28, 2007, at 1:22 PM, Michael Parson wrote:
> On Tue, 27 Nov 2007, Ido Dubrawsky wrote:
>
> <snip>
>
>> Another example would be something like:
>>
>> Nov 24 18:39:07 sauron postfix/smtpd[693]: [ID 197553 mail.info]
>> NOQUEUE:
>> reject: RCPT from
>> CPE-76-178-124-43.natsow.res.rr.com[76.178.124.43]: 450
>> 4.7.1 <goins-mail1.goins.local>: Helo command rejected: Host not
>> found;
>> from=<> to=<asanders at siliconsec.com> proto=SMTP
>> helo=<goins-mail1.goins.local>
>>
>> Notice the address: CPE-76-178-124-74.natsow.res.rr.com. That's
>> a RoadRunner cable domain and it's residential. Last I recall,
>> RoadRunner does not allow you to run a mail server from their
>> residential service networks and actually blocks inbound SMTP to the
>> res.rr.com domain. Doesn't mean you can't run a mail server on that
>> domain but typical inbound mail is blocked and you can still spam
>> outbound from there.
>
> One of the more recent things I've done for my mail server is install
> milter-regex, which lets me do regex matches on the connections and
> refuse mail from things I don't like. I then found a list somewhere
> of
> dynamic IP (sub) domains and the like and refuse mail from dynamic
> IPs.
> I've got 407 lines in my milter-regex config, I'm sure if my regex-fu
> was better, I could slim it down a little, but it has cut way back on
> the mail sent by the zombie-nets from home users.
...and legitimate email from people who run their own mail servers on
a dynamic IP.
That's what sucks about spammers: the solutions aren't that great
either.
I think if we started shooting them, it would either a) help, or b) at
least feel good.
Of course, then someone would spam me for low cost ammunition... :)
--
"Where some they sell their dreams for small desires."
More information about the geeks
mailing list