Spam attack....

Randal, Phil prandal at
Thu Jun 19 10:05:39 IST 2008

It's time to start using RBLs on your MTA. & spring to mind as reliable ones, or, if
you have the money and don't mind a bit of config, subscribe to
SpamHaus's blacklists and use on your MTA.



Phil Randal
Networks Engineer
Herefordshire Council
Hereford, UK

-----Original Message-----
From: mailscanner-bounces at
[mailto:mailscanner-bounces at] On Behalf Of Philip
Sent: 19 June 2008 02:27
To: MailScanner discussion
Subject: Spam attack....

Hi all,

This may have been discussed here before, but I am going to throw it out

I have set up a few "mailbag" machines for some of my customers to grab
their incoming email and process it for spam.  This then goes into POP
mailboxes and their mail servers then grab the mail.  The intent is that
it be a black-hole for spam and takes some of the load off of their
systems.  A while back, I determined that most spam (for these customers
anyway) was being marked with a spamscore of about 20, so I set the spam
threshold on these mailbag machines to be 15.

These machines run MailScanner (of course), SpamAssassin, and Razor.

Everything works fine and transparently most of the time, but
occasionally (i.e. the last few days), email is coming in and clogging
the MailScanner incoming queue.  I havent' measured, but at times it's
around 1 new message per second.  At times there may be 10-15 thousand
messages waiting to be processed.  If left alone, it doesn't seem to
correct itself.  What I have done is transferred 10k messages or so from
the machine that clogs up to another machine and then they get processed
quickly.  This almost seems to be a DNS-type problem with RBL lookups or

I have tried to figure out where the messages are coming from, but I
don't see a pattern.  If most messages were coming from a handful of
machines, then I would just put an IP-filter on them and drop any
packets from them.  Unfortunately, I have not seen any pattern - so I am
back to square one.

Any ideas as to what I should check, etc. to figure out why these
customers are being excessively spam-bombed.  This seems to happen maybe
once every month or two - then it goes away.


MailScanner mailing list
mailscanner at

Before posting, read

Support MailScanner development - buy the book off the website! 

More information about the MailScanner mailing list