When Spammers Attack?

Gothmolly asks: "After reading the recent spate of spam and anti-spam articles here on Slashdot, I decided to beef up the anti-spam security on my own domain. I run my own domain and mail server, running Qmail, along with rblsmptd. Mail that passes this gets hit with Spamassassin However, one particular spamhaus, Clickformail has particularly nasty servers, they try at least 2 SMTP connects/second, and I suspect that's only limited by my 384k DSL pipe. The impact on my box was non-zero, to say the least. I ended up putting a packet filter on their class C netblock to stop the barrage of log messages and increase in load (from 0.05 normal to 0.15). Has anyone else experienced such determined spammers, and what is the best way around it?"

Tarpitting

[m0rph3us0]

Just install the Qmail tarpitting patch, also you might want to look at rate limiting on at the firewall level to limit the amount of incoming connections per second from a given IP. In reality this is just a like a DoS attack against any other service.

What's wrong with the packet filter?

[yeti+(dn)]

Properly set up packet filter should consume negligible amount of CPU. Drop the packets, they don't deserve any ICMP response. Pretend you simply don't exist (for their domain).

Delaying responses

[DarkDust]

Well, one way to slow them down (and thus make those spam-bursts more bandwidth/load friendly to your server) is to delay the server responses: with Postfix you can delay those error messages like this:

smtpd_error_sleep_time = 30

which would take 30 seconds from the wrong/blocked SMTP command until Postfix gives an error message. With this easy measure you can seriously slow down those spam-bursts, especially when they try to send several spam mails within the same SMTP session.

It's only disturbing when you try to debug your SMTP with telnet, but that's ok :-)