Basically someone decided to fire off many emails to us. Their effort was from some team of bots (ToB), and came largely from the .ru domain.
I wrote some quick and dirty tools to scan our logs, and generate a hash table of IP addresses, and plugged this into a smtpd client filter. So after the first few failed emails, we have the bot’s signature. And we can reject future emails from them, even for a short period of time.
A little Perl, a quick configuration change, and whammo. DoS fell off after about 1 hour. This is a little better than the DNS attacks on the DoS I had found previously … basically redirecting mail to a different machine. The latter also loses legitimate mail, but it collapses the ToB darned fast. The former catches repeat offenders.
Viewed 6526 times by 1188 viewers