Skip to main content

Stopping incoming spam with sendmail




I am having an issue due to a "smart" sysadmin that made some choices while I was away for two months: Spam.



I manage probably close to 10,000 web/mail sites. He decided to allow all mail to everyone of those domains go to /dev/null if the user did not exist instead of bouncing it back. Which is OK in some cases but the problem with that is that it says recipient OK for unknown users which makes spammers believe they are hitting a valid address.



So, with all that said I am now seeing TONS of attempted spam coming into all of these sites and I can't figure out a fix on server a by server basis.



Right now they are back to getting a user unknown so bandwidth on the network has dropped a decent amount since the actual content is not being delivered, however since the mail is still making it to me I am losing a good amount of bandwidth on DNS lookups per message as well as my inital bounceback. Doesn't seem like it would take a lot but with the volume of sites we are talking about it is relatively significant.




I am using sendmail on CentOS 5. I have full root access to the machines and I am really comfortable with IPTables, tcpdump, kernel modifications, sendmail modifications as well as access list and such on my core routers.



The catch, the company has not purchased a global antispam service. Ideally if there was a way I could configure sendmail to not do a DNS lookup if mail is sent to an unknown user that would be a start.


Answer



I'm assuming that bandwidth is the problem you are facing and the solution you are looking for. Please correct me if there is a different problem.



Is this all in one homogenous internal network or is it a bunch of independent sites/data centres? I'm wondering if it's feasible to run your own caching DNS resolver to cut down on the bandwidth caused by DNS lookups. If not a central one for all mail servers, maybe local caching nameservers at all sites would be feasible.



Another plan would be to block any IP address at the firewall from hitting port 25 that has caused more than 90% unknown user response (minimum of 10 send attempts). You could likely use fail2ban for this purpose.




Can you cut down on the size of your bounce messages?





Other things you should do:




  • Start measuring. See if you can measure how much bandwidth is "wasted" due to spam and at which point in the SMTP conversation it is happening. How much are the DNS lookups contributing? How much is the HELO? How much is headers? How much is the bounce messages? How much does all of this bandwidth cost?


  • Get a spam filtering service. Once you know how much the bandwidth costs and how much of it should be reduced if you had no spam, you can justify the cost of a spam filtering service. If you have measured the bandwidth and you can't reduce it any more, you're going to be paying the money anyway. Change who you pay it to and put one more problem on the "fixed" pile.




Comments

Post a Comment

Popular posts from this blog

linux - Awstats - outputting stats for merged Access_logs only producing stats for one server's log

I've been attempting this for two weeks and I've accessed countless number of sites on this issue and it seems there is something I'm not getting here and I'm at a lost. I manged to figure out how to merge logs from two servers together. (Taking care to only merge the matching domains together) The logs from the first server span from 15 Dec 2012 to 8 April 2014 The logs from the second server span from 2 Mar 2014 to 9 April 2014 I was able to successfully merge them using the logresolvemerge.pl script simply enermerating each log and > out_putting_it_to_file Looking at the two logs from each server the format seems exactly the same. The problem I'm having is producing the stats page for the logs. The command I've boiled it down to is /usr/share/awstats/tools/awstats_buildstaticpages.pl -configdir=/home/User/Documents/conf/ -config=example.com awstatsprog=/usr/share/awstats/wwwroot/cgi-bin/awstats.pl dir=/home/User/Documents/parced -month=all -year=all...
Post a Comment
Read more

iLO 3 Firmware Update (HP Proliant DL380 G7)

The iLO web interface allows me to upload a .bin file ( Obtain the firmware image (.bin) file from the Online ROM Flash Component for HP Integrated Lights-Out. ) The iLO web interface redirects me to a page in the HP support website ( http://www.hp.com/go/iLO ) where I am supposed to find this .bin firmware, but no luck for me. The support website is a mess and very slow, badly categorized and generally unusable. Where can I find this .bin file? The only related link I am able to find asks me about my server operating system (what does this have to do with the iLO?!) and lets me download an .iso with no .bin file And also a related question: what is the latest iLO 3 version? (for Proliant DL380 G7, not sure if the iLO is tied to the server model)
Post a Comment
Read more

hp proliant - Smart Array P822 with HBA Mode?

We get an HP DL360 G8 with an Smart Array P822 controller. On that controller will come a HP StorageWorks D2700 . Does anybody know, that it is possible to run the Smart Array P822 in HBA mode? I found only information about the P410i, who can run HBA. If this is not supported, what you think about the LSI 9207-8e controller? Will this fit good in that setup? The Hardware we get is used but all original from HP. The StorageWorks has 25 x 900 GB SAS 10K disks. Because the disks are not new I would like to use only 22 for raid6, and the rest for spare (I need to see if the disk count is optimal or not for zfs). It would be nice if I'm not stick to SAS in future. As OS I would like to install debian stretch with zfs 0.71 as file system and software raid. I have see that hp has an page for debian to. I would like to use hba mode because it is recommend, that zfs know at most as possible about the disk, and I'm independent from the raid controller. For us zfs have many benefits, ...
Post a Comment
Read more