Surviving a Joe-Job attack.
The first step is detection. For that, it helps to understand exactly what a Joe job attack is. A Joe job attack is when a naughty person decides to send out a batch of spam. Instead of using their own email addressess (bringing much wrath upon themselves), they forge the headers and use someone elses email address. We'll refer to that person as the "victim" henceforth.
Solution Step #1
It's not quite a Joe job, but I had a client send out a mass HTML email with embedded photos, yielding a 200k message. I don't know exactly how many emails he sent out, but I can tell you that he got back thousands of them. When my server decided to stop working (/var filled up), I noticed the problem.
In this case, I wanted the client to feel the results of his error so I raised his quota a bunch so the messages would clear out of my queue. This took care of the overfilled /var and got my mail system back online, but my CPU's were being pegged by all the incoming connections being virus and spam scanned. Since I use simscan with it's per-domain options, I was able to prevent this client from further monopolizing my system, by removing spamassassin processing from their mail. My simcontrol file looks like this:
The first line is the default policy which virus scans and spam scans all emails. In this case, all the messages were bouncing back to firstname.lastname@example.org, so in the second line, I disabled spamassassin processing for that email address. This immediately brought the system load down to tolerable levels. If I were still having any load issues, I would have disabled virus scanning as well. I simply left the system this way until the mail storm subsided.
If the email address has spam filtering enabled (log into their account via qmailadmin and check the "spam detection" checkbox), make sure to disable it or that too can trigger spamassassin. In most cases, this measure will alleviate the problem.
Solution Step #2
However, in a real Joe job attack, you don't want the client to suffer from having their inbox polluted with bounces and DSNs (Delivery Status Notifications). You instead want to route all that crap to the bit bucket. Fortunatelyl, simscan provides a handy way to do this. Rick Macdougall posted this big ugly regexp on the simscan users list. He created this to help his system survive a massive attack:
This is certainly not an ideal solution but it'll keep your system from having to run spamd and clamd on all them bounce messages. You add that line (make sure it's all on one line!) to your /var/qmail/control/simcontrol file and then run "qmail cdb" to rebuild the simscan control file.
Last modified on 4/28/05.