Fwd: RE: Dealing with MailScanner overloads

[Gerry Doris]

On Sun, 14 Sep 2003, Ulysees wrote:

> > The only question I have is regarding the relay address as being the
> > right one to block.  For example, I run a primary mail server with my
> > ISP
> acting
> > as secondary MX.   All my Sobig.F emails went to their mail server,
> because
> > Sobig.F went for the highest MX value, and then got relayed on to me.
> >
> > This code would then result in me blocking my own fallback MX server, and
> I
> > think this is not an uncommon situation?
>
> I think this code could be usefull, however you would need to be able to
> give it few hints, eg
> 1000 mails in an hour from othersite.mycorp.com is fine
> 100 mails in an hour from spam.spam.spam.spamity.spam.com is not normal
> behavior & should be blocked.
> really just a black/whitelist which sets a limit on mails per hour from a
> host
>
> It would also be very important that when the block is put in place that it
> could trigger a notification to postmaster to advise them of what just
> happened.
>
>
> Uly

Well, even if it is a secondary mail MX that is flooding the server
with virii and threatening to take it down then it needs to be stopped.

The obvious rememdy is to complain to whomever runs that box to install a
virus scanner and filter all emails.  I believe many ISP's are now doing
running scanners???

However, if scanning on the seconday MX isn't possible then I like the
idea of turning it off until a better solution is found ie processing its
mail at an offpeak time or redirecting the mail to another server for
scanning.  The mail won't be lost.

As others have said...it is really important to notify the sysadmin what
has occurred.  Perhaps this should be a recurring notification at a preset
time incase the original was missed.

--
Gerry

"The lyfe so short, the craft so long to learne"  Chaucer