Spam attack....

[Randal, Phil]

It's time to start using RBLs on your MTA.

cbl.abuseat.org & bl.spamcop.net spring to mind as reliable ones, or, if
you have the money and don't mind a bit of config, subscribe to
SpamHaus's blacklists and use zen.spamhaus.org on your MTA.

Cheers,

Phil

--
Phil Randal
Networks Engineer
Herefordshire Council
Hereford, UK

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Philip
Butler
Sent: 19 June 2008 02:27
To: MailScanner discussion
Subject: Spam attack....

Hi all,

This may have been discussed here before, but I am going to throw it out
again...

I have set up a few "mailbag" machines for some of my customers to grab
their incoming email and process it for spam.  This then goes into POP
mailboxes and their mail servers then grab the mail.  The intent is that
it be a black-hole for spam and takes some of the load off of their
systems.  A while back, I determined that most spam (for these customers
anyway) was being marked with a spamscore of about 20, so I set the spam
threshold on these mailbag machines to be 15.

These machines run MailScanner (of course), SpamAssassin, and Razor.

Everything works fine and transparently most of the time, but
occasionally (i.e. the last few days), email is coming in and clogging
the MailScanner incoming queue.  I havent' measured, but at times it's
around 1 new message per second.  At times there may be 10-15 thousand
messages waiting to be processed.  If left alone, it doesn't seem to
correct itself.  What I have done is transferred 10k messages or so from
the machine that clogs up to another machine and then they get processed
quickly.  This almost seems to be a DNS-type problem with RBL lookups or
something.

I have tried to figure out where the messages are coming from, but I
don't see a pattern.  If most messages were coming from a handful of
machines, then I would just put an IP-filter on them and drop any
packets from them.  Unfortunately, I have not seen any pattern - so I am
back to square one.

Any ideas as to what I should check, etc. to figure out why these
customers are being excessively spam-bombed.  This seems to happen maybe
once every month or two - then it goes away.

Phil

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!