Spam attack....
Peter Farrow
peter at farrows.org
Thu Jun 19 11:10:02 IST 2008
Philip Butler wrote:
> Hi all,
>
> This may have been discussed here before, but I am going to throw it
> out again...
>
> I have set up a few "mailbag" machines for some of my customers to
> grab their incoming email and process it for spam. This then goes
> into POP mailboxes and their mail servers then grab the mail. The
> intent is that it be a black-hole for spam and takes some of the load
> off of their systems. A while back, I determined that most spam (for
> these customers anyway) was being marked with a spamscore of about 20,
> so I set the spam threshold on these mailbag machines to be 15.
>
> These machines run MailScanner (of course), SpamAssassin, and Razor.
>
> Everything works fine and transparently most of the time, but
> occasionally (i.e. the last few days), email is coming in and clogging
> the MailScanner incoming queue. I havent' measured, but at times it's
> around 1 new message per second. At times there may be 10-15 thousand
> messages waiting to be processed. If left alone, it doesn't seem to
> correct itself. What I have done is transferred 10k messages or so
> from the machine that clogs up to another machine and then they get
> processed quickly. This almost seems to be a DNS-type problem with
> RBL lookups or something.
>
> I have tried to figure out where the messages are coming from, but I
> don't see a pattern. If most messages were coming from a handful of
> machines, then I would just put an IP-filter on them and drop any
> packets from them. Unfortunately, I have not seen any pattern - so I
> am back to square one.
>
> Any ideas as to what I should check, etc. to figure out why these
> customers are being excessively spam-bombed. This seems to happen
> maybe once every month or two - then it goes away.
>
> Phil
>
If you are using a Linux box, you can simply use iptables to limit-burst
and connection rate limit at the firewall end on a per-ip basis....
P.
--
This message has been scanned for viruses and
dangerous content by the Inexcom system Scanner,
and is believed to be clean.
Advanced heuristic mail scanning server [1].
http://www.inexcom.co.uk
More information about the MailScanner
mailing list