http://xblog.xman.org/articles/2008/03/25/mail-ddos en-us 40 hey, if it has a capital X in it, it has to be great! <p>It appears as though I am experiencing an e-mail based DDOS. As near as I can tell, thousands if not millions of messages addressed to jslopez@xman.org are bouncing around the Internets as I write this. I have no idea <em>why</em> this e-mail address was selected (AFAIK, this address has never been a valid address). Furthermore, the DATA segment of the e-mails appears to be empty. Greylist rejects seem to cause many of the <strikeout>bots</strikeout>MTA&#8217;s to immediately attempt another delivery.</p> <p>The net effect of all this was to completely tie up my mail server and for the most part prevent any mail delivery. I&#8217;ve now tweaked the server a bit so I do eventually get mail, but it is still rather grim. So far, I&#8217;m killing connections to clients after two errors, I&#8217;ve trimmed my accept queue depth, and dramatically increased the number of simultaneous connections I will process. The overall effect has been pretty taxing on my mail server, and I still see significant delays in delivery times, so I&#8217;m all ears to any brilliant suggestions on how to address this problem.</p> <p>If you are a mail admin and are wondering why your queues are backed up with tons of jslopez@xman.org e-mail, please, please kill it. I suspect thought that most of my mail is coming from bots, so I&#8217;ll probably need to start adding immediate filtering at connect time that drops suspected bots.</p> <p>Is this happening to anyone else?</p> Tue, 25 Mar 2008 03:25:00 -0700 urn:uuid:2398720c-7e71-4af2-9a3e-44e1eedae9cd Christopher Smith http://xblog.xman.org/articles/2008/03/25/mail-ddos Security spam jslopez xman.org ddos smtp mail