Penalties work quite fine...
In postfix:
Every miss for a valid address get penalized by several seconds, if $count of misses occured, dropping the connection after $count of errors, combined with a connection limit.
Say you allow the same server to connect 5 times per minute, with a 2 seconds delay and a drop after 10 will give:
Number of addresses per minute: 5 * 10 = 50 Delay for 50 addresses = ~100secs (20secs if 5 connections are made in parallel - but the connection will be dropped for the next 40 seconds at the smtp greeting)
The smtp service will probably be hammered though - but it will at least cost you less cpu cycles to drop the connection at the smtp greeting, than checking if the recipient is valid.
There are some nice 3rd-party tools (mailgraph, pflogsum) that give you some insight what's happening and postfix logs the connection statistics - one of this tool will certainly give you some insight what IPs you'd like to nullroute...
I dunno about exim's or sendmail's or $your_favourite_mta's possibilities - but we live with this thing quite well over here...
On Mon, Apr 11, 2005 at 20:50:33 +0200, Matthias Hertzog wrote:
Does anyone of you out there has a "fit for all purpose"-solution to such things? We had a similar attack a few weeks ago and solved it with some additional hardware to open more incoming slots. That worked fine and was a
as always - my 2c Philipp