Chris Callahan wrote:
On Mon, 18 Jun 2007, David F. Skoll wrote:
That's not my experience. We use a greet_pause of only 5 seconds, and
we still get quite a few:
We get about 1000 a day, which is negligible compared to the rest of our
traffic and compared to the 100,000 per day we got two years ago.
Perhaps people are still pointing old bots at us or something. We use
the Sendmail greet_pause feature with a 5 second delay, and are still
averaging about 120K rejects per day based on that hurdle.
+1, there is no overwhelming pattern.
For us, our philosophy is to design for query dissemination and minimal
session residence time. It all came down to enforce "obvious" SMTP
compliance and providing connection limits, load limits, monitoring your
connection queues, balancing, etc based on the system's scalability needs.
IOW, rather than pull your hair trying figure out the randomness of the
bad guy, just set your controls and limits to handle the loading you
need and it pretty much works itself out.
For example, one server may have:
Maximum Accept Load: X
Maximum Accept Connections: X+5
This means that X sessions can be active at a given time, with 5 put
into a wait queue, i.e. no greeting response until a new slot is available.
If there is an DoS, it is handled gracefully, and if the bad guys are
impatience can't wait for the SMTP standard 5 minutes, they typically
drop pretty quickly. It tickles me pink to watch these randomly
occurring attacks quickly peter off.
If and when the greeting is presented, we found the following observations:
- Multi-line greetings will knock out a good bit of the non-SMTP
compliant bulk spammer not expecting it multiple line responses of any kind.
- Strict EHLO/HELO domain literal checking knocks out a significant
amount of these type of bulk spammers.
Hector Santos, CTO