[wplug-plan] Followup on email outage yesterday (Feb 01, 2005)

Bill Moran wmoran at potentialtech.com
Thu Feb 3 09:02:20 EST 2005 

Jonathan S Billings <billings at negate.org> wrote:
> Yesterday, around 9:30PM, Bethlynn mentioned to me on IRC that she was 
> getting a lot of bounce notifications from our mail server for WPLUG, 
> penguin.wplug.org.  I saw that I was receiving them as well, since 
> bethlynn and I are the recipients of root at wplug.org and 
> postmaster at wplug.org.
> 
> It looks like someone was doing an alphabetic address spamming attempt 
> against the backup MX for gunix.net.  penguin.wplug.org provides the 
> backup store-and-forward MX capability for gunix.net, a domain owned by 
> one of the founders of WPLUG, Jeremy.  There were hundreds of emails 
> arriving per minute, all destined to be relayed to his email server in 
> Seattle.
> 
> I found that all the incoming connections for this spam was coming from 
> a single IP, so I set iptables to just drop all packets from that host. 
>   That stopped the spam, but there was still a lot of email queued up. 
> I went through and manually deleted all the mail that was to be relayed 
> to falken.gunix.net, as well as deleting as much of the queued mail that 
> were bounce notifications.  I still received about 150 bounce 
> notifications, in my inbox.
> 
> I've since removed the line in our sendmail configuration that relays 
> mail destined for gunix.net.  This problem impacted the group's server 
> and potentially could have caused mail to have been dropped.  We've been 
> providing a backup MX service for gunix.net for quite a while, and I 
> appreciate all the efforts that Jeremy has provided in the past, but I 
> would prefer we not have penguin provide this service in the future.  I 
> don't think that the store-and-forward mechanism of a backup MX is a 
> good idea, and the aforementioned problem is a direct result of this 
> configuration.  I believe that Bill Moran had a couple slides about this 
> in his Spam talk.  :)

While I'm not in a position of authority, I will comment as it seems as
if I've been asked.

> Jeremy has asked that I restore the configuration to penguin.wplug.org. 
>   I'll leave it up to the leadership of WPLUG to decide as to what 
> should be done.

I have no real knowledge of Jeremy's involvement, and I can't make a
determination on what he has "earned" because of that.

If Jeremy has helped out WPLUG in the past, he should be given a
grace period, at least.  Probably give him a month or so.

If the determination is made to keep doing store/forward for him, then
some arrangement should be made where his user list is available to
penguin, so that penguin can refuse to accept mail for non-existant
users, instead of generating a buttload of bounces.

If it were my call, I'd ask Jeremy to justify the need for store/forward
to begin with.  It's not really needed on the modern internet, except
in some exceptional cases.  This would just make his whole mail system
simpler, as well as penguin's config.

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://www.wplug.org/pipermail/wplug-plan/attachments/20050203/89ce4be8/attachment.bin

More information about the wplug-plan mailing list