[c-nsp] Mial bomb mitigation

Brian Turnbow b.turnbow at twt.it
Wed Jun 15 12:43:40 EDT 2005 

You wouldn't want to share your list would you? 
We have more or less gotten things back under control by changing the mx record and "good" mail is moving again, as the attack remains twords the old IP address,but I'm afraid that when the cache times out that things will start again tommorrow.
I've never seen such a well done bomb. The message and subject change just enough every couple of minutes that filtering is impossible and we've logged about 10.000 different Ips from all over the globe as sources. 

Thanks to all
Brian



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tim Franklin
Sent: mercoledì 15 giugno 2005 18.27
To: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Mial bomb mitigation

> There are many sendmail techniques regarding reverse DNS that can be
> used.

On a personal level, feeding a few dial-up lists to Postfix has worked
wonders for me.  If the victim is seeing thousands of different IP
addresses, there's a good chance it's residential zombies, and most of these
will be caught by the DULs.  I've only used this against spam though, not a
concentrated attack - I don't know how much it will help the load on the
server.

Greylisting is also a personal huge win against spam, but how effective this
is against a mail-bomb will depend on how the attacker behaves when faced
with a 4xx code, and whether the problem is coming from the number of
connections or the volume of message bodies.

Of course, both of these do have the potential for collateral damage, which
is a different decision to make on a company mail server than a personal
one...

Regards,
Tim.

-- 
____________   Tim Franklin                 e: tim at colt.net 
\C/\O/\L/\T/   Product Engineering Manager  w: www.colt.net 
 V  V  V  V    Managed Data Services        t: +44 20 7863 5714 
Data | Voice | Managed Services             f: +44 20 7863 5876  


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list