For a network administrator, spam is not to receive these spam, but try to prevent spam senders from using your mail server to make relay forwarding, this work is critical, because they use you The mail server is made as a forwarding station. In addition to expensive bandwidth resources, the server speeds have lowered the speed of the server and allow you to withstand heavy duty, you may still be able to get dizzy by everyone's "blacklist", when this happens, Your user's email may continue, you can only consume the system and get rid of these prohibitions.
Of course, almost every network administrator is very familiar with the concept of "open relay", what is bad, and typical solutions, such as restrictive relay services for certain IP addresses or require certification. Waiting for the implementation. But many network management
Perhaps nothing is not aware of the current spam senders have become more diverse.
As a test drill, I set up several mail servers last week, using Microsoft's Exchange also used some free SMTP / POP3 server software, and established my own protocol analyzer (Clearsight) for easy I am able to observe what happened, in the face of the situation, I must admit that I feel quite shocked.
As you may think, they quickly discovered my server, even if I asked the relay request to authenticate, I quickly saw that thousands of mail, including the false source address, constantly passing my Exchange. Server, I can't even see any post
The piece enters my local folder. At the same time, I also found that they have discovered and used a system bug (which may be related to the SQL server), which caused my server to automatically generate the mail they need - no rebirth.
So I abandon Exchange and start using other free server software, however, this makes my monitoring process more interesting, but also shocked me to attack the diversity of attacks. Although the attempt to initially forward is always encountered by the server "503-THIS"
The return information of Mail Server Requires Authentication, I still see the spam in the spam again, they even guess the password of the "Postmaster" account and use the mailbox administrator
send email.
After I am disabled "Postmaster (Mailbox Administrator)" account, I still have seen many of the use of the forged SMTP command to log in, using the error Email source address and other things such as transmitting several RSET commands in a session (because Many servers allow you to make certain commands. At this time, I realize that this is likely to disconnect a connection when my server is, because it has been set to disconnect this connection when receiving the specified number of error commands, so I will Set this value (specified number) very low.
I also noticed that many relay forwarding attempts came from the same IP address, so I was in my _blank "> The IP address in my firewall. After a few minutes, I received another one from another different location. Different IP addresses have the same content of spam, I once again blocked this IP address again, and the spam is again sent from the third source. It is very obvious that when they remain connected, they seem to be very happy. Received notifications of authentication failures, but once they cannot establish a TCP connection on the 25-port, they will immediately convert the source address.
When I choose to reject all mail from the illegal domain, I found a very interesting side effect. Although I refused these emails seem to be a good thing for me, because these thousands of spam are It is a Email address from an ASCII code.
However, what I found is that even if my certification requests the spam's relay attempt, my server still sends DNS (Domain Name Service) request for the domain name of these spam, resulting in a lot of DNS. Request, worse, their source continuously generate DNS requests, then suddenly send thousands of requests per minute, almost a DOS attack on the DNS server (denial of service attack), in this communication situation, I have to cancel it. Reject the settings for these messages. If you are regulating the mail server, I suggest you spend a period of time, using the Sniffer tool to make sure your server does not have a trick, I also encourage you to play a patch to your system, rename or disable all standard accounts, fully understand your The security feature supported by the server. Spammer becomes more and more, we must have more experience, don't just rely on identity authentication or IP addressing to resist spam.
