Weird distributed spam attack

Bryan Bradsby Bryan.Bradsby at
Wed Nov 20 15:46:58 UTC 2002

> It *still* does some wonky stuff with secondaries, so I might have to
> buy (grumble) their services as secondary MX spooling.

We have started distribiting the list of valid addresses to secondary MX
servers to reduce the store and forward load of dictionary attacks on
those servers. Using a fast response RBL helps, but whitelisting is a
chore. ( pick one)

> >I used to believe that running a catchall alias was an effective
> >deterrent until the b*st*rds started sending complete spams and not
> >just RCPT TO.

We have never run catchall, but I am thinking about funneling LUser into
pattern matching (spamassassin, or similar) and then used to build a time
limited local ipfw or ipfirewall table.

We have enough horsepower to filter at the routers, but prefer to let the
routers route, and let the MX boxes filter.

> In fact, in this scenario the catch-all is like pouring gasoline on
> the fire without some giant water tank on the roof to... oh, wait...
> wrong thread. Sorry.

We tried water cooling, but it quit working when they patched the roof.

-bryan bradsby

Texas State Government Net
NOC: 512-475-2432  877-472-4848
"The most likely way for the world to be destroyed,
 most experts agree, is by accident. That's where we come in.
 We're computer professionals. We cause accidents."
                 -- Nathaniel Borenstein  co-author of MIME.

More information about the NANOG mailing list