When Spammers Attack?

← Back to Stories (view on slashdot.org)

Posted by Cliff on Wednesday December 25, 2002 @12:43AM from the find-your-closest-flame-thrower dept.

Gothmolly asks: "After reading the recent spate of spam and anti-spam articles here on Slashdot, I decided to beef up the anti-spam security on my own domain. I run my own domain and mail server, running Qmail, along with rblsmptd. Mail that passes this gets hit with Spamassassin However, one particular spamhaus, Clickformail has particularly nasty servers, they try at least 2 SMTP connects/second, and I suspect that's only limited by my 384k DSL pipe. The impact on my box was non-zero, to say the least. I ended up putting a packet filter on their class C netblock to stop the barrage of log messages and increase in load (from 0.05 normal to 0.15). Has anyone else experienced such determined spammers, and what is the best way around it?"

3 of 16 comments (clear)

Min score:

Reason:

Sort:

Not much todo... by cyb97 · 2002-12-25 00:51 · Score: 3, Interesting

In the case of serious spamhouses (if they can be called 'serious') there isn't much one can do...
If linespeed/cpu-load is such a problem that you need to block it on a higher level than application, go for packetfiltering (which you've done). I'd guess the next step would be blocking them at router-level, preferably on the other side of that 384k line... probably impossible as I guess it's an xDSL line from somebody who doesn't provide that kind of service?
You could try hitting their ISPs abuse@, but it usually turns up blank or 'we already know and don't care' reply...
Don't fool around! Hit 'em hard! by spoonist · 2002-12-25 01:43 · Score: 5, Interesting

I dunno dude, but it sounds to me like you're the victim of a Denial of Service (DoS) attack. If I were you I would document each and every single occurance (time, size, IP addresses, etc) and attach a dollar value to each occurance (time spent, harddrive space filled up, bandwidth filled up, down time, new equipment bought to counter the threat, etc).

Then give a call to the U. S. Secret Service Electronic Crimes Branch or the FBI National Computer Crime Squad or the National Infrastructure Protection Center.

Note that each of these organizations has a dollar amount threshold. If the crime doesn't break the threshold (e.g. over $10k or something (I don't know the actual numbers, but I'm sure they can be found here)), then they won't investigate the crime.
Re:Simplest solution by muonzoo · 2002-12-25 02:42 · Score: 3, Interesting

I think all the people proposing a rate limited iptables / packet filter solution are on the right track, but missing a bigger part of the problem
.

You want to be able to stop those packets from hitting your 384Kbps xDSL line. Otherwise, you are not only losing processing time dealing with the junk; you are having to give up a fraction of your bandwidth too.

Admittedly, it isn't a large chunk of your bandwidth. Likely around 3/4 - 1.0 %. However, it won't take much to get out of control.

This is where the real problem lies, and; xDSL service providers seldom are willing to route or modify the feeds they send clients. In fact, they frequently don't have the infrastructure for it at all.