Cowlark under attack... again
Some bastard's attacked my machine again. As a result my mail server's been down for about 50 hours, resulting in lots of bounced email and considerable hassle, which is just what I need right now.
The details: someone claiming to be from 209.161.238.175 started making connections to my machine's SMTP port on June 26, 1512:10. Ten times a second. Spey, my home-made spam blocker, cooperatively started passing on these requests to exim. 13 seconds later exim started refusing requests, and spey shut down (a known bug).
I'm wondering what the best thing to do here is.
Firstly, of course, I need to fix that bug. That'll stop spey from falling over whenever the downstream SMTP server isn't responding.
Secondly, I should probably harden spey against this sort of attack again in the future. One idea is to implement a flood protection mechanism, so that if too many connections come from a particular address, just stop listening to that address; but that's complicated and fiddly.
A simpler solution would probably be to delay connection to the downstream mail server until we know that it's a real connection. That means that this kind of flooding will use minimal resources; spey is carefully designed so that each incoming connection is cheap. It would be easy to implement, too.
I do find myself wondering why I got attacked. Random drive-by shooting? Accidental, due to someone's misconfigured computer? Retaliation because I've written an anti-spam tool? (Don't laugh. It happens. Spammers can be very vindictive.) The originating machine is currently not responding, which means it's probably someone's home machine that's currently turned off. Tracing back, it appears to be in Ontorio, Canada somewhere. I think I'll send an email to the guy's ISP. I wonder if it was the same one as last time?
Meh. I had better things to do this evening than rewrite my mail server.
The details: someone claiming to be from 209.161.238.175 started making connections to my machine's SMTP port on June 26, 1512:10. Ten times a second. Spey, my home-made spam blocker, cooperatively started passing on these requests to exim. 13 seconds later exim started refusing requests, and spey shut down (a known bug).
I'm wondering what the best thing to do here is.
Firstly, of course, I need to fix that bug. That'll stop spey from falling over whenever the downstream SMTP server isn't responding.
Secondly, I should probably harden spey against this sort of attack again in the future. One idea is to implement a flood protection mechanism, so that if too many connections come from a particular address, just stop listening to that address; but that's complicated and fiddly.
A simpler solution would probably be to delay connection to the downstream mail server until we know that it's a real connection. That means that this kind of flooding will use minimal resources; spey is carefully designed so that each incoming connection is cheap. It would be easy to implement, too.
I do find myself wondering why I got attacked. Random drive-by shooting? Accidental, due to someone's misconfigured computer? Retaliation because I've written an anti-spam tool? (Don't laugh. It happens. Spammers can be very vindictive.) The originating machine is currently not responding, which means it's probably someone's home machine that's currently turned off. Tracing back, it appears to be in Ontorio, Canada somewhere. I think I'll send an email to the guy's ISP. I wonder if it was the same one as last time?
Meh. I had better things to do this evening than rewrite my mail server.