Re: Holy Bounces Batman!

Quoting steve at cotse.net wrote:
> From http://steve.cotse.net/blog/

Tried to comment on your blog but it's closed.

You should put a keyword of "backscatter" in there. Lots of people
rant 
about backscatter, which is essentially bounce storms. Google will find 
you other places to vent/share.

SAV is IMO a big reason for the increase of late (last 2-3 years). The 
term "asshole spammer" is redundant. SAV effects can be confirmed by

From http://steve.cotse.net/blog/

Holy Bounces Batman!

We are nearing three days of a massive bounce flood. During
peaks we are seeing upwards of 1000 bounces a second in
addition to our normal mail volume. Needless to say, we?re
used to less and the new total of bounces plus normal
traffic is three times our normal volume and choking the
server periodically. Right now it occasionally stops
accepting connections and sometimes it faults. It has to be
babysat to keep going. To create the perfect storm for a
bounce flood two things must be in place, complete idiots
administering mail servers and one or more asshole spammers.

The idiot admins role is one of configuring their mail
server to accept a message then reject it later for whatever
reason. I?m going to say this only once, reject only at the
connection, if you accept the message you keep it. Period.
You do not accept then send a bounce. This is very poor
etiquette and demonstrates a complete lack of knowledge
about your subject. If you are running a mail server that
you cannot configure in any other way, delete it. Don?t use
it. It is broken. I don?t care if it has features you like,
stop using it! Messages should either be rejected at the
connection or accepted and if accepted you own them.

The asshole spammer?s role is simpler. He just configures
his spamware to generate random names at some domain for the
from line of his spam (because the from must contain a valid
domain name to be delivered) and sends out 100 million
messages utilizing some botnet. The end result is the forged
domain gets hit with millions of connections from mail
servers around the world delivering bounces to tens of
thousands of non-existent accounts. A veritable flood of
connections. This should be classified as a deliberate
attack. The spammer has to know the result. This means
he/she is doing it deliberately. Both the spammer and the
product he is advertising should be held responsible for
loss of business and damages. I also think the mail servers
that accept then reject should also be financially
responsible for the damages as their negligence played a big
role.

Bounce floods suck. There is no way to stop them short of
retiring the domain from e-mail by setting the MX to
localhost. You can reject the bounces, but you are still
getting pounded with connections, both to SMTP and DNS (all
those millions of machines have to look up the MX record to
deliver the bounce). It?s flat out a denial of service
attack. Meanwhile all I can do is continue fighting to keep
the server up, and hope it runs it?s course soon.

Oh, and don?t get me started on this Sender Address
Verification (SAV) bullshit so many run. Besides the fact
that it is impossible to tell the difference between you and
a bounce, your servers are also slamming me and contributing
to the connection flood. Also of notable mention are the
morons running Challenge/Response (C/R), I?m getting hit
with thousands of challenges too. You both control your spam
by making it my problem.

So to those running SAV, C/R, or a poorly configured mail
server I say: Very poor etiquette, you fail basic admin 101. 
I don?t care if you justify it by thinking "mine only sent
one", fifty million other idiots just like you thought the
same thing and now I?m dealing with fifty million of those
"it?s only one" connections. You are all equally culpable.
Get off the Internet until you learn how to properly behave
in a cooperative society!

Quoting steve at cotse.net wrote:
> From http://steve.cotse.net/blog/
>
> Holy Bounces Batman!
>
> We are nearing three days of a massive bounce flood. During
> peaks we are seeing upwards of 1000 bounces a second in
> addition to our normal mail volume.

That blog post was at the beginning.  Steve Gielda came to nanae to
discuss his plight and his management of it.  That discussion resulted
in a 64 post thread which went on for about a week.

Since Gielda is a very experienced mailserver manager (ie cotse), the
discussions between him and the other mailadmins in the thread are
educational about these issues.

GG link to the thread
http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/
thread/5244ca2e196c8221/914e7137c0ee9650?#914e7137c0ee9650  or
http://snipurl.com/24mny snurled gglink

From: Stephen K. Gielda
Newsgroups: news.admin.net-abuse.email
Subject: Five day bounce flood killing domain
Date: Wed, 19 Mar 2008 17:04:05 -0400
Message-ID: <MPG.224b49d4842141d398988e@news.newsreader.com>

I run www.cotse.net.  A domain cotse.com has been undergoing a
bounce flood of proportions unseen ever before.  It easily surpasses
10,000 per second and has for over five days.  Everything I stick in
front of it gets hammered into complete lock.  It's maxing out a 100MB
full duplex NIC.

The bounces are coming from yahoo, hotmail, google, and millions of
other botnet machines around the globe.  Yahoo, hotmail and google alone
must be sending over 50 million a day.  Other than switching the MX for
cotse.com to 127.0.0.1 what options do I have?  Will the Feds help?
News sources?  Anyone?  Yahoo, google, hotmail don't answer my mails.

If they can wipe this domain out like this, yours may be next.  I'm
frustrated, I need someone with pull somewhere.


--
Mike Easter
kibitzer, not SC admin