Blocking a runaway mail server with OpenBSD
This morning starting at 4:30am ET I had to deal with a runaway mail server trying to connect over and over to the GeekISP inbound mail server. Most of my spam countermeasures are somewhat fire-and-forget, or really only require tuning based on message content, so I was a little rusty when dealing with this.
I chose to simply let OpenBSD’s spamd deal with the crazy amount of requests, in an effort to slow down the sender. I figured that since they were so aggressive, it was possibly a programming bug on something on their end, and it might just keep trying to connect if I just did an ordinary firewall block (plus I get to see how bad they’re really trying this way). Perhaps I’m being too generous.
The basic steps are:
- Remove them from spamd’s database: spamdb -d _ip_
- Add the offender to the ’spamd’ table: pfctl -t spamd -T _ip_
- Kill any existing states: pfctl -k _ip_
Turns out I had to fully stop ’spamd’ before I could get them truly removed from the database. There was a timing problem here - I’d go and remove them from the db, but they still had an active state, so spamd would see some traffic and go add them back. I tried it in the other order too, but it suffers from similar problems (though, perhaps it was the 4:30am part of the equation that accounted for that).
I also sent mail to the appropriate abuse@ email, and got back a “we got your note” almost immediately. We’ll see if I hear anything from them.
The upside of all this is that GeekISP now supports per-ip inbound smtp connection limits, rather than just a maximum concurrency. So if this happens again, I probably won’t even notice.
[Aside: it occurred to me that a ‘DOS’ attack also refers to ‘denial of sleep’. How appropriate.]