In my ongoing campaign of… well, not really evil, more like “civil disobedience”…
Day 1. Found 18 subnets/24 that were already sending us >100 bounces per day. Using iptables I arranged to give them “connection refused” for all connection attempts. No changes to sendmail.cf yet.
Day 2. Switched sendmail.cf to detect bounces (meaning MAIL FROM: ) and respond with 454 instead of 550. These are all guaranteed-forged domains so there’s no such thing as “legitimate” bounces. Also blocked another 16 ip/24 ranges found to be sending >100 bounces per day.
Day 3. Blocked another 28 subnet/24s found to be sending >100 bounces in the first 15 hours of the day.
Results so far:
Before the experiment, we have been receiving about 30 smtp connections per second. As of right now, after having some sites get connection refused for 48 hours, and all bounces getting 454 for about 24 hours, a one-minute snapshot shows about 150 connections per second. If this rate continues through the day it will mean 15M connections instead of the normal 3M.
We don’t have the server capacity to keep up with all requests, so we normally send 40%~60% of them to two mailservers, and give “connection refused” to the other 40%~60%, depending on time of day. As of right now we are handling 20% of the offered load and cutting off 80% with connection refused. So, this might have an effect on other mail, that is not bounces, but after a few attempts they will eventually get through and get their 454 (for bounces) and 554 (all others).
Fortunately these two servers don’t handle any mail I care about, just bounces, so this is not slowing down our normal mail path. Bandwidth is my only real concern, and it is staying low at 0.137 megabits
18 blocked day 1
16 blocked day 2
28 blocked day 3
62 total /24 blocks in place
Because this is a pretty specialized application, I won’t list all the names and net numbers that I blocked, but if anyone is interested, let me know and I will send you the list. Bear in mind that these servers are sending a large amount of crap mail, but there might be a large amount of good mail in there too, and most admins will want to be much more careful about blocking than I have been.
Similarly, if anyone would like a list of my “guaranteed forged” domains (about 200) email me and I will get you the info.
Anyway, I hope some admins will “wake up and smell the mail queue” and stop the forged mail. Usually it is coming from their own network, but folks that do “accept then bounce” will get hit by this too. It’s a gleeful feeling… if anyone else has a domain or set of addresses that get lots of bounce-spam and would like to also “fight back” I highly encourage it :)