Spam attack....

[Philip Butler]

Hi all,

This may have been discussed here before, but I am going to throw it  
out again...

I have set up a few "mailbag" machines for some of my customers to  
grab their incoming email and process it for spam.  This then goes  
into POP mailboxes and their mail servers then grab the mail.  The  
intent is that it be a black-hole for spam and takes some of the load  
off of their systems.  A while back, I determined that most spam (for  
these customers anyway) was being marked with a spamscore of about 20,  
so I set the spam threshold on these mailbag machines to be 15.

These machines run MailScanner (of course), SpamAssassin, and Razor.

Everything works fine and transparently most of the time, but  
occasionally (i.e. the last few days), email is coming in and clogging  
the MailScanner incoming queue.  I havent' measured, but at times it's  
around 1 new message per second.  At times there may be 10-15 thousand  
messages waiting to be processed.  If left alone, it doesn't seem to  
correct itself.  What I have done is transferred 10k messages or so  
from the machine that clogs up to another machine and then they get  
processed quickly.  This almost seems to be a DNS-type problem with  
RBL lookups or something.

I have tried to figure out where the messages are coming from, but I  
don't see a pattern.  If most messages were coming from a handful of  
machines, then I would just put an IP-filter on them and drop any  
packets from them.  Unfortunately, I have not seen any pattern - so I  
am back to square one.

Any ideas as to what I should check, etc. to figure out why these  
customers are being excessively spam-bombed.  This seems to happen  
maybe once every month or two - then it goes away.

Phil