posfix SAV tarpitted

From: Len Conrad (no email)
Date: Sat Oct 01 2005 - 13:04:35 EDT

  • Next message: Kirti Singh: "Unable to get maildrop to filter individual maildir account"

    One of my clients IMGate/postfix boxes, which does inbound-only MX
    work, has been tarpitted by numerous IPs in these Class Cs:

    The Class C are:

    204.9.240
    204.9.241
    204.9.242
    204.9.243
    204.9.244
    204.9.245
    204.9.246
    204.9.247

    which are also found here:

    http://www.spamhaus.org/sbl/sbl.lasso?query=SBL21043

    afaics, when postfix smtp SAV calls those IPs, the smtp session is
    held by the other end indefinitely, some kind of heart-beat that
    keeps postfix smtp from timing out.

    mx1# sockstat -4 | egrep -ic "smtp .*204.9.24"
    201

    mx1# sockstat -4 | egrep -i "smtp .*204.9.24" | less
    USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
    postfix smtp 4449 12 tcp4 69.43.139.225:3790 204.9.247.4:25
    postfix smtp 4404 13 tcp4 69.43.139.225:2410 204.9.240.5:25
    postfix smtp 4373 12 tcp4 69.43.139.225:1108 204.9.243.5:25
    postfix smtp 4372 12 tcp4 69.43.139.225:3623 204.9.240.5:25
    postfix smtp 4365 12 tcp4 69.43.139.225:3094 204.9.244.6:25
    postfix smtp 4363 12 tcp4 69.43.139.225:3731 204.9.240.6:25
    postfix smtp 4362 13 tcp4 69.43.139.225:2462 204.9.242.5:25
    postfix smtp 4357 12 tcp4 69.43.139.225:1753 204.9.247.4:25
    postfix smtp 4356 12 tcp4 69.43.139.225:4799 204.9.245.5:25
    postfix smtp 4355 12 tcp4 69.43.139.225:1046 204.9.240.4:25
    postfix smtp 4348 12 tcp4 69.43.139.225:3066 204.9.241.7:25
    postfix smtp 4336 13 tcp4 69.43.139.225:2698 204.9.240.6:25
    postfix smtp 4335 12 tcp4 69.43.139.225:1713 204.9.244.6:25
    postfix smtp 4332 12 tcp4 69.43.139.225:4521 204.9.244.7:25
    postfix smtp 4330 12 tcp4 69.43.139.225:2644 204.9.245.6:25
    postfix smtp 4329 12 tcp4 69.43.139.225:2107 204.9.245.7:25
    postfix smtp 4328 12 tcp4 69.43.139.225:3567 204.9.242.4:25
    postfix smtp 4327 12 tcp4 69.43.139.225:1705 204.9.244.7:25
    postfix smtp 4325 12 tcp4 69.43.139.225:4760 204.9.245.5:25
    postfix smtp 4324 12 tcp4 69.43.139.225:2605 204.9.246.4:25
    postfix smtp 4323 12 tcp4 69.43.139.225:4298 204.9.241.6:25
    postfix smtp 4322 13 tcp4 69.43.139.225:1861 204.9.244.7:25
    postfix smtp 4321 12 tcp4 69.43.139.225:1727 204.9.243.4:25
    postfix smtp 4319 12 tcp4 69.43.139.225:2418 204.9.244.4:25
    postfix smtp 4318 12 tcp4 69.43.139.225:3576 204.9.247.7:25
    postfix smtp 4317 12 tcp4 69.43.139.225:3865 204.9.242.7:25
    postfix smtp 4292 12 tcp4 69.43.139.225:1234 204.9.243.5:25
    postfix smtp 4291 12 tcp4 69.43.139.225:4094 204.9.241.5:25
    postfix smtp 4290 12 tcp4 69.43.139.225:2289 204.9.247.4:25
    postfix smtp 4289 12 tcp4 69.43.139.225:3758 204.9.242.6:25
    postfix smtp 4284 12 tcp4 69.43.139.225:3470 204.9.242.6:25
    postfix smtp 4283 12 tcp4 69.43.139.225:1133 204.9.244.6:25
    postfix smtp 4266 14 tcp4 69.43.139.225:1835 204.9.241.6:25

    ... etc up to 200+ smtp sessions.

    We have blocked these Class Cs at our gateway, but is there any param
    in postfix that could reduce postfix's vulnerability to tarpitting?

    thanks
    Len

  • Next message: Kirti Singh: "Unable to get maildrop to filter individual maildir account"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    		Powered By FreeBSD   Powered By FreeBSD