North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Time to check the rate limits on your mail servers

  • From: up
  • Date: Thu Feb 03 09:34:27 2005

On Thu, 3 Feb 2005, Suresh Ramasubramanian wrote:

> On Thu, 3 Feb 2005 11:42:55 +0000, Michael.Dillon@radianz.com
> <Michael.Dillon@radianz.com> wrote:
> http://news.com.com/Zombie+trick+expected+to+send+spam+sky-high/2100-7349_3-5560664.html?tag=cd.top
> > that botnets are now routing their mail traffic through the local
> > ISP's mail servers rather than trying their own port 25
> > connections.
>
> Now?  We (and AOL, and some other large networks) have been seeing
> this thing go on since over a year.
>
> > Do you let your customers send an unlimited number of
> > emails per day? Per hour? Per minute? If so, then why?
>
> Doing that - especially now when this article has hit the popular
> press and there's going to be lots more people doing the same thing -
> is going to be equivalent of hanging out a "block my email" sign.

I just implemented a patch to tcpserver which allows me to limit the
number of simultaneous SMTP connections from any one IP, but have not yet
looked into daily/hourly limits.  I know Comcast has started limiting
residential customers to 50-100 emails per day, and that customers with
legitimate reasons for using more than that are starting to complain.

> One additional thing that I think wasnt mentioned in the article -
> Make sure your MXs (inbound servers) are separate from your outbound
> machines, and that the MX servers dont relay email for your dynamic IP
> netblock. Some other trojans do stuff like getting the ppp domain name
> / rDNS name of the assigned IP etc and then "nslookup -q=mx
> domain.com", then set itself up so that all its payloads get delivered
> out of the domain's MX servers

Easier said than done, especially if you're a small ISP that's been doing
POP before SMTP and changing this requires that every customer's settings
be changed.

Is there any info on how this zombie is spread?  ie, email worms, direct
port attacks, etc.  If the former, there's hope of nipping it in the bud
with anti-virus filtering.

James Smallacombe		      PlantageNet, Inc. CEO and Janitor
up@3.am							    http://3.am
=========================================================================