[c-nsp] Mial bomb mitigation

[Church, Chuck]

Change the MX record and the external address, in hopes that the
infected sending hosts are doing it via IP, and not host name.
Otherwise, talk to the anti-spam vendor, and get a temporary unlimited
license.  NANOG has some pretty knowledgeable people regarding email.
There are many sendmail techniques regarding reverse DNS that can be
used.  Or if the company is small, build an ACL that only allows SMTP
from certain servers, and add onto that list as external senders
complain.  If you can find out the top 50 or so domains they receive
mail from, you can probably make most of the users happy...


Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch at netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brian Turnbow
Sent: Wednesday, June 15, 2005 10:17 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Mial bomb mitigation


Hello everyone, 
I have a customer currently under a mail bomb attack he's recieving
1,000s of messages a second from 1000s of diffent IP addresses with a
constantly changing message and subject. The server is behind a pix but,
allowing all connections thru blocks the server, and if I create a
connection limit in the nat statement on the pix I can save the server
but everything that arrives is just junk and 90% of good mail can't get
thru anyway.The customers antispam is of no use as after 5 minutes he
has esceeded his hourly limit and it disables itself.

Anyone have any ideas for possible solutions? 

Thanks
Brian

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/