Notes on new IPBlock code, 4.25-11

Raymond Dijkxhoorn raymond at PROLOCATION.NET
Mon Dec 1 19:54:49 GMT 2003


> machine came alive at 00:01:32 last night.  With a config limit of 100
> messages/hour, the machine was IPBlocked at 00:14:07, with 6 subsequent
> connections blocked out.  But, the rogue machine had flooded my
> with several thousand messages in those 13 minutes, and it took nearly
> two hours for this flood to be processed by my server.  A lot of these
> messages were subsequently deleted as high-spam by Spamassassin and MS,
> or doublebounced, or were blocked by AOL (the target site).  Some got
> delivered.  The tsunami of spam was already on my mail server by the
> time MS shut the door, since IPBlock is run last in the MS process.

Thats due to Swen. But you could fight Swen. I assume you have currently
the MX functions for your server AND the smtp relay function on the same
box ? Swen does a MX lookup and starts to blow mail. If you want to stop
this, seperate the MX and SMTP function. If your MX -ONLY- accepts mail
for it will -completely- block this crap. Since its always
mail to external party's, most of them AOL.COM and that wont pass the
rules of your MX, since its not TO: @yourdomain. I didnt see a simgle AOL
Swen thing pass since we altered our configs. Load dropped with around
1M messages a day, so i guess AOL was pretty happy when we activated the


More information about the MailScanner mailing list