[77703] in North American Network Operators' Group
Re: Time to check the rate limits on your mail servers
daemon@ATHENA.MIT.EDU (Patrick W Gilmore)
Thu Feb 3 09:44:52 2005
In-Reply-To: <Pine.BSF.4.44.0502030922380.71791-100000@richard2.pil.net>
Cc: Patrick W Gilmore <patrick@ianai.net>
From: Patrick W Gilmore <patrick@ianai.net>
Date: Thu, 3 Feb 2005 09:44:24 -0500
To: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
On Feb 3, 2005, at 9:30 AM, up@3.am wrote:
>> One additional thing that I think wasnt mentioned in the article -
>> Make sure your MXs (inbound servers) are separate from your outbound
>> machines, and that the MX servers dont relay email for your dynamic IP
>> netblock. Some other trojans do stuff like getting the ppp domain name
>> / rDNS name of the assigned IP etc and then "nslookup -q=mx
>> domain.com", then set itself up so that all its payloads get delivered
>> out of the domain's MX servers
>
> Easier said than done, especially if you're a small ISP that's been
> doing
> POP before SMTP and changing this requires that every customer's
> settings
> be changed.
IMHO, if you are a small ISP and limit the # of e-mails per user per
day, even to something like 1K, you probably don't have to separate the
MX & SMTP servers. But that's me, others might still think you were
being "irresponsible".
> Is there any info on how this zombie is spread? ie, email worms,
> direct
> port attacks, etc. If the former, there's hope of nipping it in the
> bud
> with anti-virus filtering.
All of the above.
--
TTFN,
patrick
