Our Dallas infrastructure has been under SMTP attack this week. Similar to an incident in February, spammers are using botnets to try connecting to our mail servers. To mitigate the attack, we have implemented soft failures for connections from IP addresses without reverse DNS.
Spammers use these brute-force attacks to build lists of email addresses. They send an “innocent” message to a random address at your domain name. Our server will reject any messages to a non-existing address. However, when a message arrives for a valid email address and our server does not reject it, then that serves as confirmation to the spammer that the address exists. Doing this over and over thousands of times, the bad guys are able to build a list of valid email addresses for their future spam campaigns.
Often with attacks like this, the many attempts temporarily open many connections. At times so many connections, that legitimate users are unable to connect.
Reverse DNS (a PTR record to be precise) is a method that resolves an IP address back to a host name. Legitimate email servers are expected to have reverse DNS configured. Botnets quite often use computers on connections that do not have reverse DNS set up. So on the surface it makes sense to block such connections, right? Unfortunately not — some prominent ISPs in South African (where many of our clients reside) do not have reverse DNS configured for ADSL connections. A blanked block of all non-conforming connection will block a lot of innocent people’s email transmissions. Pity.
Our new soft failure mechanism aims to find a middle road. It allows SMTP connections from any connection, with or without reverse DNS configured. However, once about 50% of available connection are in use (probably due to a spam attack) then the server rejects SMTP connections without reverse DNS configured. They ***may*** mean that some legitimate users are unable to connect. The connection block will tend to be short; the connection count usually drops down sufficiently within a minute or two.
If you are seeing an error “421 too busy for PTRless hosts” when sending email, then please contact us. Your ISP is likely not configuring reverse DNS correctly and we can offer some advice.