[Greylist-users] Stopping "machine gunners" - not really a
Barb Dijker
barb at netrack.net
Wed Mar 15 13:34:17 PST 2006
Thanks for all the recent tips especially wrt sendmail. Time to
implement those.
Just fyi to all. Greylisting is great for what it does, but I still
use other means in addition to greylisting to divert things, e.g.,
blacklisting. I recently had some similar problems that were
resolved by this:
http://www.spamhaus.org/drop/
This above list is hard to find on spamhaus. I only see it buried as
the last item in their "ISP Spam Issues" FAQ. I originally applied
it as intended by null routing all those blocks at my core/borders.
Doing so does not block the first incoming tcp SYN packet, only the
returned ACK. So then my mail servers where getting hit by what
looked like port 25 SYN attacks - sometimes 10-20 times as many SYN
packets as connections. The traffic was at times crippling, but not
visible in the sendmail log because there wasn't a full connection.
Adding an incoming filter for those blocks of course did the trick.
I've been using the drop list on a production commercial customer
network (not just the mail server) for almost a year without anyone
wishing we were not.
Barb Dijker x100
Netrack, 3080 Valmont Rd Ste 200, Boulder CO 80301
+1.303.938.0188, toll free +1.888.9Netrack, fax +1.303.938.0177
www.netrack.net
More information about the Greylist-users
mailing list