Fighting the Good Fight

I spent most of yesterday trying to put the clamps down on the mail issues from the latest variant of Worm.MyDOOM.M. The targeted domain was mozilla.org (whom we relay mail for) and we were running into limitations of our mail relays to be able to stop the virus.

We use amavisd-new, Postfix, spamassassin and ClamAV to help stop spam. Our problem was that we relayed mail for mozilla.org. In relaying we have to accept all mail for mozilla.org, process it and then reject it based on content (for example if its a virus which most of the mail was). What I needed was a list of valid recipients for @mozilla.org so I could reject mail based on unknown recipient. I got a drop from the Mozilla folks and slapped it into production. It was a total of 772 aliases that I put into a virual user table and then Postfix was rejecting mail at a frenetic pace.

Once we started rejecting the mail I started to look at the number of connections we were seeing to our relays. We have 3 brand new Sun v60x’s dedicated to relaying mail and they were seeing about 50-60 connections a second from bogus hosts. I wrote a quick perl hack that would find hosts that were hitting us with lots of unknown recipients as well as RBL hosts that were hitting us and shoved out the list to the relays and firewalled them off. We have a rolling 24 hour window of blocks going based on our mail logs. As of 9:30am PST we have a list of 1389 hosts that we are rejecting connections from (these are infected hosts sending virii at us).

In the last 48 hours we have caught several million copies of MyDoom.M in addition to several hundred thousand rejected mail due to unknown recipients. Our relays are now able to breath again and mail is flowing relatively well to mozilla.org again.