It looks like my CSF configuration is on a trajectory to permanently block the entire internet.
All of these blocks have been triggered because of LF_DISTATTACK.
All of the blocks so far are from SMTPAUTH failures.
In the past 4.5 days CSF/LFD has blocked 836 LF_DISTATTACKs and entered them into csf.deny.
99+% of the blocks are with a SetID=floyd or SetID=floyd@mydomain.com.
I realize that CSF/LFD is doing exactly what is supposed to and as I have it configured. For that I am thankful.
But ...
Who is Floyd?
Is there a downloadable list of all of these Floyd compromised servers? So that I can put a stop to this nonsense.
Just how many compromised SMTP servers are out there proliferating this attack?
Will legitimate traffic end up blocked because a server/host has a bad SMTP configuration or worse yet infection that has allowed others to misuse their resources?
Have I pissed off Floyd or one of his friends?
How many other SMTP hosts are being bombarded with this?
I have defined:
LF_IPSET=1
LF_SMTPAUTH=5
LF_SMTPAUTH_PERM=1
LF_DISTATTACK=1
LF_DISTATTACK_UNIQ=2
In csf.blocklists I am using:
SPAMDROP
DSHIELD
CIARMY
MAXMIND
The communities thoughts and feedback are appreciated.
Alex
Lilypad Cloud