Spam attack....

Thu Jun 19 07:12:32 IST 2008

on 6-18-2008 6:27 PM Philip Butler spake the following:
> Hi all,
> 
> This may have been discussed here before, but I am going to throw it out 
> again...
> 
> I have set up a few "mailbag" machines for some of my customers to grab 
> their incoming email and process it for spam.  This then goes into POP 
> mailboxes and their mail servers then grab the mail.  The intent is that 
> it be a black-hole for spam and takes some of the load off of their 
> systems.  A while back, I determined that most spam (for these customers 
> anyway) was being marked with a spamscore of about 20, so I set the spam 
> threshold on these mailbag machines to be 15.
> 
> These machines run MailScanner (of course), SpamAssassin, and Razor.
> 
> Everything works fine and transparently most of the time, but 
> occasionally (i.e. the last few days), email is coming in and clogging 
> the MailScanner incoming queue.  I havent' measured, but at times it's 
> around 1 new message per second.  At times there may be 10-15 thousand 
> messages waiting to be processed.  If left alone, it doesn't seem to 
> correct itself.  What I have done is transferred 10k messages or so from 
> the machine that clogs up to another machine and then they get processed 
> quickly.  This almost seems to be a DNS-type problem with RBL lookups or 
> something.
> 
> I have tried to figure out where the messages are coming from, but I 
> don't see a pattern.  If most messages were coming from a handful of 
> machines, then I would just put an IP-filter on them and drop any 
> packets from them.  Unfortunately, I have not seen any pattern - so I am 
> back to square one.
> 
> Any ideas as to what I should check, etc. to figure out why these 
> customers are being excessively spam-bombed.  This seems to happen maybe 
> once every month or two - then it goes away.
> 
> Phil
> 
Have you tried anything like connection rate throttling?
It is probably a large chain of spambots, and their IP's change fairly 
frequently. Limiting how many connections that can come from one IP should 
help some. You can try to collect addresses and blackhole them, but they will 
probably stop shortly as they go on to their next target.

If you are using sendmail this page could help;
http://www.technoids.org/dossed.html
I'm sure there are similar features in Exim or Postfix, but I haven't come 
over to the "dark side" yet so I don't know their secret incantations.

-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080618/02384af7/signature.bin