[Greylist-users] machine gun

Ken Raeburn raeburn at raeburn.org
Fri Jan 20 15:21:36 PST 2006 

On Jan 20, 2006, at 16:08, Barb Dijker wrote:
> We are starting to see more machine gun spammers.  For example,
> yesterday youngexplorerscatalog.net attempted to send a message to a
> single recipient once per second until greylisting allowed the  
> message.

Ouch.  I assume this is one connection per second, not one repeated  
RCPT per second in a single SMTP session.

Sounds like a few spammers may be trying to counteract greylisting  
now....

> I'm thinking about a hook to set a threshold for promoting a mail
> server to automatic temporary BL.  I've been doing this manually when
> we get hammered.  But it is happening too often anymore.  Has anyone
> done this already?  Suggestions?

Another approach: Increase the delay before sending the tempfail  
indication.  If the connection attempts are serialized, that should  
slow down the attack (and at once per second, I do think "attack" is  
the correct word, even in the case of legitimate mail senders).  You  
could even increase the delays if you find multiple attempts have  
been made for an address still blocked by greylisting.

My mail server won't send the greeting banner for 15 seconds after  
the connection comes in.  If the client starts spewing SMTP commands  
before the greeting, in violation of the SMTP spec, my server won't  
accept mail from them.  It doesn't actually stop a huge fraction of  
my incoming mail attempts, but it should slow down the machine-gun  
spammers.

Delays like this might help mitigate the problem, but I think your  
idea of an automatic temporary BL is a good one too.

Hmm, and now that I look at my logs, I've recently been hit with a  
number of cases of connections coming in with 5-10 second delays  
between attempts (with my greeting delay, that's one each 20+  
seconds) from the same source, trying different HELO names and MAIL  
FROM names each time, persistently trying to reach the same (non- 
existent) recipients (apparently culled from message-id strings  
somewhere).  So between having bogus recipients and varying sender  
names, nothing's ever going to get through, but it's a drag on my  
server.  I haven't been hit with the 1-second hammer with a  
consistent sender name yet, though.

> A quick peruse of the database shows a small handful of legitimate
> mail that appears to be using the machine gun approach, e.g.,  mail
> (really) from ebay that was blocked 80 or 90 times before being
> passed once.  Blackberry.com does it pretty regularly.  An att.net
> outgoing server hit almost once a second.  This sort of thing is
> killer to the server with just the connection overhead.  Our delay is
> only 4 minutes.  So if a triple has been blocked more than 48 times,
> it is trying more frequently than once ever 5 seconds.  That seems
> excessive.

Have you contacted their postmasters, or their abuse departments,  
about what could arguably be called a denial of service attack  
originating from their site?

I've known postmasters who consider greylisting to be actively  
unfriendly to the sending site, so complaints explicitly discussing  
it may or may not be well received.  But there are other, non- 
greylisting reasons for a server to return temporary failure  
indications...

Ken

More information about the Greylist-users mailing list