I don’t know if 260000+ rejected attempts to relay email through an email server within a week should be considered an attack or just a considerable amount of bad traffic, but for my small server with the limited bandwidth this was an incident that I wouldn’t like to face on a regular basis. This article includes some statistical information about that high-traffic week, some info about my actions and a conclusion I made after it ended.
First of all, I use postfix as an SMTP server, which is configured to reject requests, if they do not meet several criteria (postfix internal restrictions), prior to sending email data to the spam and virus filters. Until now, I had never encountered high traffic on the email server.
A week ago, there have been many thousands of requests which were constantly rejected by the smtp service. The weird thing was that, even though it was clear (proper error codes) to the bots that the email could not be relayed through the server, they continued to try.
The following graph shows the number of the rejected requests during the last week:
The following graph shows the inbound/outbound traffic on the router on a random day during the last week:
The following graph shows the DNS failures on a random day during the last week:
Actually, I decided not to commit any action in order to stop the bots. Despite the continuous rejections, they kept on trying and trying.
I let them go for a week and they gave me 10000+ IPs. These IPs belong to hosts from which those requests were originating. After a week, I added all these IPs in the postfix access table in a way that those hosts were denied access, for example:
Within the following 30 minutes the number of requests dropped to a minimum! The following graph confirms that:
This clearly shows that those bots are not designed to consider a rejection due to a HELO/recipient/sender etc restriction as a reason to stop trying, but they only stop when they are denied access. This makes sense in a way, as the “access denied” error means that the administrator is aware of what the remote host was trying to do, but, on the other hand, I don’t quite understand the logic behind keeping on trying despite all the non-access-denied rejections.
My conclusion is that the MTA’s access control mechanism is by far more important than I had initially thought. At least, postfix’ access control facility provides all the flexibility one would need.
Anyway, I love logs. The maillogs are being archived and I will have them further analyzed whenever I have the time.
High traffic on the email server by George Notaras is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Copyright © 2007 - Some Rights Reserved