How can I prevent my server from crashing in a DOS attack??

[sgb]

Hello, I was getting thousands of emails from another server attempting to relay these messages. As it was explained to me in the post below the zimbra email digests email in postfix>amavis>postfix>mailbox order.

Is my server being used to forward spam?
The 10000 emails trying to be relayed seem to have either been sitting in the que and trying to get resent because even after I blocked all traffic incoming or outgoing to my server zimbra was trying to resend them.

How can I have postfix analyse the incoming emails and check the heading and see if in fact they are trying to get relayed from an invalid local domain and discard them right from the beggining instead of passing the email to amavis and then to postfix and ultimately bringing down the server. I know there's a way because I have set up another server until I get this fixed instead of zimbra with the same amount of traffic trying to be relayed through my other server and it discards the email right from the beggining..
I need to know how to do this because blocking a segment of ip's is really unpractical and in the future I want to be able to prevent no matter where it comes from.

Thanks very much.

[marcmac]

What does your network look like, and what to the recipients of these messages look like, wrt your domain? Also, are they coming from an IP on your subnet, or something in the wild? Do you have a catch-all address set up on your domains?

Recipient verification can happen in several ways, and zimbra should behave as follows:

Mail from remote IPs to domains that aren't in zimbra should be dropped at the SMTP RCPT phase (mail never gets queued).

Mail from any IP to invalid addresses on your domain should be dropped at the SMTP RCPT phase (mail never gets queued).

If the mail is getting queued, and it's bound for a remote (not zimbra hosted) domain, then it should be coming from an IP that postfix considers "local". If this is the case, is the spammer on your network?

If the mail is bound for internal domains, but invalid addresses, it should be bounced (with a 550 error code).

[KevinH]

Do you have the RBL's enabled. Assuming those IP's are black listed they should get dropped at the edge.

[sgb]

I have a linux firewall in front of my email server forwarding all the traffic to my email server. One of my thoughts was that since the firewall is reciving all incoming email and forwarding to the email server in the process the email server recives it as all email is comming from the internal ip of the firewall 192.168.1.1 instead of the original address the email comes from. I do have RBL enabled and it really doesn't do much since these IP addresses are Black Listed and the server still processes the email coming from these email addresses.
When I did a postsuper -D ALL to delete all the queued email in postfix there were about 10000 emails sitting in the queue and I could see the server proccessing them below is a excerpt of the log.


Mar 10 04:36:31 mi6 amavis[32233]: (32233-07) Blocked SPAM, LOCAL [192.168.1.1] [200.96.176.121] <qeepxm@yahoo.com.tw> -> <littlepup33@yahoo.com.tw>,<littlepuppet.tw@yahoo. com.tw>,<littlepuppy7191@yahoo.com.tw>,<littlepupp ylover@yahoo.com.tw>,<littlepuppyruru@yahoo.com.tw >, Message-ID: <%MESSAGEID@yahoo.com.tw>, mail_id: gYNKjCpOk0wR, Hits: 27.369, 1611 ms
Mar 10 04:36:31 mi6 postfix/smtp[29370]: 14F4A3645C5: to=<littlepup33@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1], delay=7, status=sent (250 2.5.0 Ok, id=32233-07, BOUNCE)
Mar 10 04:36:31 mi6 postfix/smtp[29370]: 14F4A3645C5: to=<littlepuppet.tw@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1], delay=7, status=sent (250 2.5.0 Ok, id=32233-07, BOUNCE)
Mar 10 04:36:31 mi6 postfix/smtp[29370]: 14F4A3645C5: to=<littlepuppy7191@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1], delay=7, status=sent (250 2.5.0 Ok, id=32233-07, BOUNCE)
Mar 10 04:36:31 mi6 postfix/smtp[29370]: 14F4A3645C5: to=<littlepuppylover@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1], delay=7, status=sent (250 2.5.0 Ok, id=32233-07, BOUNCE)
Mar 10 04:36:31 mi6 postfix/smtp[29370]: 14F4A3645C5: to=<littlepuppyruru@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1], delay=7, status=sent (250 2.5.0 Ok, id=32233-07, BOUNCE)
Mar 10 04:36:31 mi6 postfix/qmgr[28965]: 14F4A3645C5: removed
Mar 10 04:36:31 mi6 amavis[32233]: (32233-07) extra modules loaded: Net/LDAP/Bind.pm
Mar 10 04:36:33 mi6 postfix/cleanup[29368]: 1D14D3645D0: message-id=<%MESSAGEID@yahoo.com.tw>
Mar 10 04:36:33 mi6 postfix/qmgr[28965]: 1D14D3645D0: from=<zklexqrovuu@yahoo.com.tw>, size=4076, nrcpt=6 (queue active)
Mar 10 04:36:33 mi6 amavis[31169]: (31169-07) ESMTP::10024 /opt/zimbra/amavisd/tmp/amavis-20060310T012534-31169: <zklexqrovuu@yahoo.com.tw> -> <littlebaby_twins@yahoo.com.tw>,<littlebabychi@yah oo.com.tw>,<littlebabyegg@yahoo.com.tw>,<littlebab ygogogo@yahoo.com.tw>,<littlebabywu@yahoo.com.tw>, <littlebady4209@yahoo.com.tw> Received: SIZE=4076 from mi6.extier.com ([127.0.0.1]) by localhost (mi6.extier.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 31169-07; Fri, 10 Mar 2006 04:36:33 -0500 (EST)
Mar 10 04:36:33 mi6 amavis[31169]: (31169-07) Checking: StKpKM48UpyZ [192.168.1.1] <zklexqrovuu@yahoo.com.tw> -> <littlebaby_twins@yahoo.com.tw>,<littlebabychi@yah oo.com.tw>,<littlebabyegg@yahoo.com.tw>,<littlebab ygogogo@yahoo.com.tw>,<littlebabywu@yahoo.com.tw>, <littlebady4209@yahoo.com.tw>
Mar 10 04:36:34 mi6 postfix/smtpd[29369]: 732663645C5: client=unknown[192.168.1.1]
Mar 10 04:36:34 mi6 amavis[31169]: (31169-07) BAD HEADER from <zklexqrovuu@yahoo.com.tw>: Non-encoded 8-bit data (char A1 hex) in message header 'From': From: "\\241\\267\\241\\264 \\270\\321\\250M\\266U\\264\\332\\247x...
Mar 10 04:36:34 mi6 amavis[31169]: (31169-07) NOTICE: Not sending DSN, spam level exceeds DSN cutoff level for all recips, mail intentionally dropped
Mar 10 04:36:34 mi6 amavis[31169]: (31169-07) Blocked SPAM, LOCAL [192.168.1.1] [255.6.206.227] <zklexqrovuu@yahoo.com.tw> -> <littlebaby_twins@yahoo.com.tw>,<littlebabychi@yah oo.com.tw>,<littlebabyegg@yahoo.com.tw>,<littlebab ygogogo@yahoo.com.tw>,<littlebabywu@yahoo.com.tw>, <littlebady4209@yahoo.com.tw>, Message-ID: <%MESSAGEID@yahoo.com.tw>, mail_id: StKpKM48UpyZ, Hits: 30.087, 1591 ms
Mar 10 04:36:34 mi6 postfix/smtp[29370]: 1D14D3645D0: to=<littlebaby_twins@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1], delay=5, status=sent (250 2.5.0 Ok, id=31169-07, BOUNCE)
Mar 10 04:36:34 mi6 postfix/smtp[29370]: 1D14D3645D0: to=<littlebabychi@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1], delay=5, status=sent (250 2.5.0 Ok, id=31169-07, BOUNCE)
Mar 10 04:36:34 mi6 postfix/smtp[29370]: 1D14D3645D0: to=<littlebabyegg@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1], delay=5, status=sent (250 2.5.0 Ok, id=31169-07, BOUNCE)
Mar 10 04:36:34 mi6 postfix/smtp[29370]: 1D14D3645D0: to=<littlebabygogogo@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1], delay=5, status=sent (250 2.5.0 Ok, id=31169-07, BOUNCE)
Mar 10 04:36:34 mi6 postfix/smtp[29370]: 1D14D3645D0: to=<littlebabywu@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1], delay=5, status=sent (250 2.5.0 Ok, id=31169-07, BOUNCE)

[marcmac]

Is the firewall simply NATting the connections, or is it accepting the mail on port 25, queueing it, and handing it off to zimbra?

If the former, it should preserve the IP of the original connection.

If the latter, you should set up anti-spam measures on the MTA on your FW.

[sgb]

The firewall is simply Nating port 25 to the internal email server which is the zimbra server.

This is the traffic pattern (incoming)
>yahoo.com:25> external firewall nic>NAT >zimbra(internal ip)

Thanks

[marcmac]

So it should be getting the remote IP as the connection source, and recognizing that as non-local - is that the case?

[sgb]

Yes, it should be receiving the message with the remote ip address.

[marcmac]

right, but is postfix recognizing that address as non-local? (THat is - is the connection source NOT covered by the mynetworks parameter in postfix?)

[sgb]

Postfix does not recognize these addresses as local addresses, that is, they are not icluded in the my network parameter.

See below, the 192.168.1.1 address is my firewall passing emails to my email server which is 192.168.1.10 and the other addresses are the remote addresses, none of the remote addresses are included in the postfix networks.

I got 10000 more emails over the weekend

Thanks guys for your help.

Mar 7 14:14:11 mi6 postfix/smtpd[5544]: B767A8AE374: client=unknown[192.168.1.1]
Mar 7 14:14:12 mi6 postfix/cleanup[5430]: CD2028AE365: message-id=<MJYEPOXMSMZPJOSQIEONWLZQE@yahoo.com>
Mar 7 14:14:12 mi6 postfix/qmgr[572]: F02FC8AD8F8: removed
Mar 7 14:14:05 mi6 postfix/smtpd[1312]: NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 554 <carot@ms59.url.com.tw>: Relay access denied; from=<.@msa.hinet.net> to=<carot@ms59.url.com.tw> proto=SMTP helo=<209.154.12.10>
Mar 7 14:14:05 mi6 postfix/smtpd[1299]: NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 554 <b0002738960@sun1.snet.com.tw>: Relay access denied; from=<.@msa.hinet.net> to=<b0002738960@sun1.snet.com.tw> proto=SMTP helo=<209.154.12.10>
Mar 7 14:14:06 mi6 postfix/smtpd[17351]: 1AB018AD8F3: client=unknown[192.168.1.1]
Mar 7 14:14:12 mi6 postfix/smtp[29617]: 7E4368ACC08: to=<KOUICHI.310@EZWEB.NE.JP>, relay=127.0.0.1[127.0.0.1], delay=5503, status=sent (250 2.6.0 Ok, id=28731-02, from MTA([127.0.0.1]:10025): 250 Ok: queued as 154758AE344)
Mar 7 14:14:12 mi6 postfix/smtpd[5432]: 7C0EB8AD8F2: client=unknown[192.168.1.1]
Mar 7 14:14:12 mi6 postfix/smtpd[1305]: NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 554 <kevin@intellisys.com.tw>: Relay access denied; from=<Elaine.Ford@yahoo.co.jp> to=<kevin@intellisys.com.tw> proto=SMTP helo=<209.154.12.10>
Mar 7 14:14:12 mi6 postfix/smtpd[26991]: disconnect from unknown[192.168.1.1]
Mar 7 14:14:12 mi6 postfix/smtpd[5309]: disconnect from unknown[192.168.1.1]
Mar 7 14:14:12 mi6 postfix/smtpd[29125]: NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 550 <halers@combrand.com>: Recipient address rejected: combrand.com; from=<ziey@mx.west.saic.com> to=<halers@combrand.com> proto=SMTP helo=<mx.west.saic.com>
Mar 7 14:14:13 mi6 postfix/smtpd[23714]: 58AC68AD8F8: client=unknown[192.168.1.1]
Mar 7 14:14:13 mi6 postfix/smtpd[19600]: 5C4948AE375: client=unknown[192.168.1.1]
Mar 7 14:14:13 mi6 postfix/cleanup[5424]: 1B9FB8AE366: message-id=<WXYTMEXLDKGXLHWIQSKY@yahoo.com>
Mar 7 14:14:13 mi6 postfix/cleanup[27366]: BB0518AE369: message-id=<NUANMZINZKHQABHNKRSCDZRID@hotmail.com>
Mar 7 14:14:13 mi6 postfix/smtpd[23269]: disconnect from unknown[192.168.1.1]
Mar 7 14:14:14 mi6 postfix/smtpd[26752]: 0AF4F8AE376: client=unknown[192.168.1.1]
Mar 7 14:14:14 mi6 postfix/smtpd[28847]: 274938AE377: client=unknown[192.168.1.1]
Mar 7 14:14:14 mi6 postfix/smtpd[5479]: 27C208AE378: client=unknown[192.168.1.1]
Mar 7 14:14:14 mi6 postfix/smtpd[2329]: NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 554 <doris197628@yahoo.com.tw>: Relay access denied; from=<Salvatore.Hoyt@msa.hinet.net> to=<doris197628@yahoo.com.tw> proto=SMTP helo=<adpp41.b.astral.ro>
Mar 7 14:14:14 mi6 postfix/cleanup[17456]: BAF6A8AE368: message-id=<OYNPUFQACPWRAEYVJMLMITEKO@>
Mar 7 14:14:14 mi6 postfix/smtpd[23321]: 644E58AE379: client=unknown[192.168.1.1]
Mar 7 14:14:14 mi6 postfix/smtpd[10132]: 87B938AE37A: client=unknown[192.168.1.1]
Mar 7 14:14:14 mi6 postfix/cleanup[17067]: 3A92B8AE358: message-id=<@>
Mar 7 14:14:14 mi6 postfix/smtpd[8875]: 95DC48AE37B: client=unknown[192.168.1.1]
Mar 7 14:14:14 mi6 postfix/cleanup[5420]: E03CA8AE36A: message-id=<MEVFRREXBUWUSLTVIYGCFU@hotmail.com>
Mar 7 14:14:16 mi6 postfix/cleanup[5425]: 7F8FC8AE367: message-id=<HIEJDEQFEOAJLZNSKOEHNMGPU@81.56.15.95>
Mar 7 14:14:16 mi6 postfix/smtpd[684]: NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 554 <showcorn@yahoo.com.tw>: Relay access denied; from=<Osvaldo.Butts@msa.hinet.net> to=<showcorn@yahoo.com.tw> proto=SMTP helo=<209.154.12.10>
Mar 7 14:14:17 mi6 postfix/smtpd[23267]: B09B38AE37C: client=unknown[192.168.1.1]
Mar 7 14:14:17 mi6 postfix/smtpd[17703]: B9DE08AE37D: client=unknown[192.168.1.1]
Mar 7 14:14:19 mi6 postfix/smtpd[27335]: disconnect from unknown[192.168.1.1]
Mar 7 14:14:19 mi6 postfix/cleanup[17066]: 427248AE36C: message-id=<IDDNMDHLXWJOCCBJICSZGX@sinamail.com>
Mar 7 14:14:21 mi6 postfix/smtpd[23237]: disconnect from unknown[192.168.1.1]
Mar 7 14:14:22 mi6 postfix/cleanup[25851]: DECA68AE36F: message-id=<@>
Mar 7 14:14:22 mi6 postfix/cleanup[27367]: B767A8AE374: message-id=<NODJSWQJIAJOLCEMAEHAM@>
Mar 7 14:14:20 mi6 postfix/smtpd[5545]: disconnect from unknown[192.168.1.1]
Mar 7 14:14:20 mi6 postfix/pickup[571]: 2A7838AD0EC: uid=502 from=<fzpyuvvt@yahoo.comand> orig_id=E7E568AD7DE
Mar 7 14:14:21 mi6 postfix/qmgr[572]: 5B2048AE326: from=<ytzrhccwlsskuk@abidjan.net>, size=13653, nrcpt=4 (queue active)
Mar 7 14:14:21 mi6 postfix/smtpd[1305]: NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 554 <kevin@intex.com.tw>: Relay access denied; from=<Elaine.Ford@yahoo.co.jp> to=<kevin@intex.com.tw> proto=SMTP helo=<209.154.12.10>
Mar 7 14:14:21 mi6 postfix/smtpd[1299]: NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 554 <b0002738961@sun1.snet.com.tw>: Relay access denied; from=<.@msa.hinet.net> to=<b0002738961@sun1.snet.com.tw> proto=SMTP helo=<209.154.12.10>
Mar 7 14:14:21 mi6 postfix/smtpd[1312]: NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 554 <carote@ms10.url.com.tw>: Relay access denied; from=<.@msa.hinet.net> to=<carote@ms10.url.com.tw> proto=SMTP helo=<209.154.12.10>
Mar 7 14:14:21 mi6 postfix/smtpd[32253]: disconnect from unknown[192.168.1.1]
Mar 7 14:14:22 mi6 postfix/smtpd[23361]: connect from unknown[192.168.1.1]
Mar 7 14:14:22 mi6 postfix/qmgr[572]: 9F7088ACAA3: removed
Mar 7 14:14:22 mi6 postfix/smtpd[2253]: NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 554 <a5941877@yahoo.com.tw>: Relay access denied; from=<Cleveland.Burks@msa.hinet.net> to=<a5941877@yahoo.com.tw> proto=SMTP helo=<dsl-200-78-115-129.prod-infinitum.com.mx>
Mar 7 14:14:22 mi6 postfix/cleanup[17704]: 2A7838AD0EC: message-id=<ZHPMUDOPMZQVCZYLBCTBSLPB@hemmb.www-mailserver.com>
Mar 7 14:14:22 mi6 postfix/cleanup[17393]: B2CAD8AE372: message-id=<@>
Mar 7 14:14:22 mi6 postfix/smtpd[29125]: lost connection after RCPT from unknown[192.168.1.1]
Mar 7 14:14:22 mi6 postfix/smtpd[29125]: disconnect from unknown[192.168.1.1]
Mar 7 14:14:22 mi6 postfix/smtpd[1299]: NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 554 <b0002738962@sun1.snet.com.tw>: Relay access denied; from=<.@msa.hinet.net> to=<b0002738962@sun1.snet.com.tw> proto=SMTP helo=<209.154.12.10>
Mar 7 14:14:22 mi6 postfix/smtpd[1305]: NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 554 <kevinchiou@ing.com.tw>: Relay access denied; from=<Elaine.Ford@yahoo.co.jp> to=<kevinchiou@ing.com.tw> proto=SMTP helo=<209.154.12.10>
Mar 7 14:14:22 mi6 postfix/smtpd[1312]: NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 554 <caroter@ms28.hinet.net>: Relay access denied; from=<.@msa.hinet.net> to=<caroter@ms28.hinet.net> proto=SMTP helo=<209.154.12.10>
Mar 7 14:14:22 mi6 postfix/cleanup[17394]: A8A118AE36D: message-id=<DDHBIWGHEXEBZZWQHHUUQ@>
Mar 7 14:14:22 mi6 postfix/cleanup[17024]: 0AF4F8AE376: message-id=<YVPKJDIRXWIICUNPETSSBEHD@yahoo.com>
Mar 7 14:14:23 mi6 postfix/smtpd[1305]: NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 554 <kevinfeng@iptec.com.tw>: Relay access denied; from=<Elaine.Ford@yahoo.co.jp> to=<kevinfeng@iptec.com.tw> proto=SMTP helo=<209.154.12.10>
Mar 7 14:14:23 mi6 postfix/smtpd[1312]: NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 554 <carotsai@ms22.hinet.net>: Relay access denied; from=<.@msa.hinet.net> to=<carotsai@ms22.hinet.net> proto=SMTP helo=<209.154.12.10>
Mar 7 14:14:23 mi6 postfix/smtpd[23266]: 282AA8ACAA3: client=unknown[192.168.1.1]
Mar 7 14:14:23 mi6 postfix/smtpd[2329]: NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 554 <doris19780801@yahoo.com.tw>: Relay access denied; from=<Salvatore.Hoyt@msa.hinet.net> to=<doris19780801@yahoo.com.tw> proto=SMTP helo=<adpp41.b.astral.ro>