Re: SMTP DDoS

[chort <chort () amaunetsgothique com>]

On Sat, 2003-08-09 at 18:50, Kip Sr. wrote:
> Hi everyone,
>
> For the past 10 days, our mail exchange server has
> been getting flooded with emails. It appears that an
> attacker is sending out tons of spam through various
> open relays and using our address
> (sales () mycompany com) in the return path. so
> essentially, all bounced emails are coming back to our
> mail server - we're seeing about 30,000 NDRs per day.
> I am using filters to delete the incoming email, but
> does anyone else have any other ideas on how to get
> this stopped? Since the NDRs are coming from
> legitimate sources, checking for open relays wont do
> me any good. 
>
> Help!!!
>
> Kip.

There are several commercial e-mail security out there which could
handle this type of problem.  As mentioned previously, some times your
firewall will do application-level inspection on SMTP traffic and allow
you to filter it (I believe that CheckPoint FW1 can do this, although I
don't have any experience with it).

If your actual firewall doesn't have that functionality, investigate
e-mail firewalls.  There are several, such as IronMail from
www.ciphertrust.com which can easily handle this situation.  Anything
with a DCC or DCC-like (IronMail has a much improved DCC-like system)
blocking tool should totally eliminate the flood at your gateway and
thus spare your Exchange server.

-- 
Brian Keefer


---------------------------------------------------------------------------
----------------------------------------------------------------------------