Skip to main content

Stopping incoming spam with sendmail




I am having an issue due to a "smart" sysadmin that made some choices while I was away for two months: Spam.



I manage probably close to 10,000 web/mail sites. He decided to allow all mail to everyone of those domains go to /dev/null if the user did not exist instead of bouncing it back. Which is OK in some cases but the problem with that is that it says recipient OK for unknown users which makes spammers believe they are hitting a valid address.



So, with all that said I am now seeing TONS of attempted spam coming into all of these sites and I can't figure out a fix on server a by server basis.



Right now they are back to getting a user unknown so bandwidth on the network has dropped a decent amount since the actual content is not being delivered, however since the mail is still making it to me I am losing a good amount of bandwidth on DNS lookups per message as well as my inital bounceback. Doesn't seem like it would take a lot but with the volume of sites we are talking about it is relatively significant.




I am using sendmail on CentOS 5. I have full root access to the machines and I am really comfortable with IPTables, tcpdump, kernel modifications, sendmail modifications as well as access list and such on my core routers.



The catch, the company has not purchased a global antispam service. Ideally if there was a way I could configure sendmail to not do a DNS lookup if mail is sent to an unknown user that would be a start.


Answer



I'm assuming that bandwidth is the problem you are facing and the solution you are looking for. Please correct me if there is a different problem.



Is this all in one homogenous internal network or is it a bunch of independent sites/data centres? I'm wondering if it's feasible to run your own caching DNS resolver to cut down on the bandwidth caused by DNS lookups. If not a central one for all mail servers, maybe local caching nameservers at all sites would be feasible.



Another plan would be to block any IP address at the firewall from hitting port 25 that has caused more than 90% unknown user response (minimum of 10 send attempts). You could likely use fail2ban for this purpose.




Can you cut down on the size of your bounce messages?





Other things you should do:




  • Start measuring. See if you can measure how much bandwidth is "wasted" due to spam and at which point in the SMTP conversation it is happening. How much are the DNS lookups contributing? How much is the HELO? How much is headers? How much is the bounce messages? How much does all of this bandwidth cost?


  • Get a spam filtering service. Once you know how much the bandwidth costs and how much of it should be reduced if you had no spam, you can justify the cost of a spam filtering service. If you have measured the bandwidth and you can't reduce it any more, you're going to be paying the money anyway. Change who you pay it to and put one more problem on the "fixed" pile.




Comments

Post a Comment

Popular posts from this blog

linux - iDRAC6 Virtual Media native library cannot be loaded

When attempting to mount Virtual Media on a iDRAC6 IP KVM session I get the following error: I'm using Ubuntu 9.04 and: $ javaws -version Java(TM) Web Start 1.6.0_16 $ uname -a Linux aud22419-linux 2.6.28-15-generic #51-Ubuntu SMP Mon Aug 31 13:39:06 UTC 2009 x86_64 GNU/Linux $ firefox -version Mozilla Firefox 3.0.14, Copyright (c) 1998 - 2009 mozilla.org On Windows + IE it (unsurprisingly) works. I've just gotten off the phone with the Dell tech support and I was told it is known to work on Linux + Firefox, albeit Ubuntu is not supported (by Dell, that is). Has anyone out there managed to mount virtual media in the same scenario?
Post a Comment
Read more

hp proliant - Smart Array P822 with HBA Mode?

We get an HP DL360 G8 with an Smart Array P822 controller. On that controller will come a HP StorageWorks D2700 . Does anybody know, that it is possible to run the Smart Array P822 in HBA mode? I found only information about the P410i, who can run HBA. If this is not supported, what you think about the LSI 9207-8e controller? Will this fit good in that setup? The Hardware we get is used but all original from HP. The StorageWorks has 25 x 900 GB SAS 10K disks. Because the disks are not new I would like to use only 22 for raid6, and the rest for spare (I need to see if the disk count is optimal or not for zfs). It would be nice if I'm not stick to SAS in future. As OS I would like to install debian stretch with zfs 0.71 as file system and software raid. I have see that hp has an page for debian to. I would like to use hba mode because it is recommend, that zfs know at most as possible about the disk, and I'm independent from the raid controller. For us zfs have many benefits,
Post a Comment
Read more

apache 2.2 - Server Potentially Compromised -- c99madshell

So, low and behold, a legacy site we've been hosting for a client had a version of FCKEditor that allowed someone to upload the dreaded c99madshell exploit onto our web host. I'm not a big security buff -- frankly I'm just a dev currently responsible for S/A duties due to a loss of personnel. Accordingly, I'd love any help you server-faulters could provide in assessing the damage from the exploit. To give you a bit of information: The file was uploaded into a directory within the webroot, "/_img/fck_uploads/File/". The Apache user and group are restricted such that they can't log in and don't have permissions outside of the directory from which we serve sites. All the files had 770 permissions (user rwx, group rwx, other none) -- something I wanted to fix but was told to hold off on as it wasn't "high priority" (hopefully this changes that). So it seems the hackers could've easily executed the script. Now I wasn't able
Post a Comment
Read more