Botnet attack - how long? - Webmaster General forum at WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

Botnet attack - how long?

wheel

3:54 pm on May 8, 2008 (gmt 0)

I've got a client's domain that is getting hammered with a dictionary email attack and has been since last night. Spammers are basically sending mail to anything@domain.com.

The spam is coming from all over the place, which leads me to believe that they've got a botnet set up sending these outs. I don't think I can just ban a few IP's and be done with it.

Is there any easy way to stop this (I'm thinking not), failing that does anyone know how long these things typically last? I may just ride it out if they'll be done in a day.

wheel

7:54 pm on May 8, 2008 (gmt 0)

Just got word back from my friendly and helpful ISP. They're real techheads but came back with some great possibilities.

First suggestion is to ride it out, it generally stops after a day or two.

Second suggestion is to set up a script that captures IP addresses on the fly and immediately blocks them using IPtables. That seems like a reasonable solution if this carries on.

His third suggestion was to point the MX/mail record over to another IP address where I'm not listening on the mail port. Basically drop all the email, the traffic to my server, and the tying up of my mail program and greylisting. This seems to be another easy solution. Given our recent conversations here about fixing other people's hacked windows computers, perhaps I should redirect my mail records over to the IP address of one of the hacked boxes ;).

Receptional Andy

7:57 pm on May 8, 2008 (gmt 0)

>> anything@domain.com

Can you not just lose the catch-all? They attract huge volumes of spam, even without a particular domain being targeted.

wheel

8:29 pm on May 8, 2008 (gmt 0)

I did do that and that helped substantially. But as it stands my email program has to still respond to all these connections, log them and process them, go through greylisting, deny because there's no one there by that address and so on.

It's not so much getting the emails in the inbox, it's the large volume has potential to tie up the server due to the small amount of processing X a huge volume of connections.

Before I caught it, the domain did have a catch all that was redirecting to another server. That server was denying because of all the connections from my server, then my server was queuing and caching then resending them again, and so on. That eventually caused a cycle that brought the server down for a bit. My servers is way overpowered so it did recover. And killing the catchall put the server back under regular loads again. the server's fine now despite all the connections.

Receptional Andy

8:45 pm on May 8, 2008 (gmt 0)

It sounds like you may be doing more processing than is necessary for email addresses that don't exist. The conversation with your server is likely something like this:

HELO possible-trigger
MAIL FROM:possible-trigger@example.com
RCPT TO:xckjsdf@example.com

If you drop at that point (possibly before) then processing is likely to be tolerable. It depends what kind of volume you're talking about though I guess. A fairly standard box should be able to handle tens of thousands of those a day without much worry. YMMV of course!