Spam attack....

Peter Farrow peter at
Thu Jun 19 11:10:02 IST 2008

Philip Butler wrote:
> Hi all,
> This may have been discussed here before, but I am going to throw it 
> out again...
> I have set up a few "mailbag" machines for some of my customers to 
> grab their incoming email and process it for spam.  This then goes 
> into POP mailboxes and their mail servers then grab the mail.  The 
> intent is that it be a black-hole for spam and takes some of the load 
> off of their systems.  A while back, I determined that most spam (for 
> these customers anyway) was being marked with a spamscore of about 20, 
> so I set the spam threshold on these mailbag machines to be 15.
> These machines run MailScanner (of course), SpamAssassin, and Razor.
> Everything works fine and transparently most of the time, but 
> occasionally (i.e. the last few days), email is coming in and clogging 
> the MailScanner incoming queue.  I havent' measured, but at times it's 
> around 1 new message per second.  At times there may be 10-15 thousand 
> messages waiting to be processed.  If left alone, it doesn't seem to 
> correct itself.  What I have done is transferred 10k messages or so 
> from the machine that clogs up to another machine and then they get 
> processed quickly.  This almost seems to be a DNS-type problem with 
> RBL lookups or something.
> I have tried to figure out where the messages are coming from, but I 
> don't see a pattern.  If most messages were coming from a handful of 
> machines, then I would just put an IP-filter on them and drop any 
> packets from them.  Unfortunately, I have not seen any pattern - so I 
> am back to square one.
> Any ideas as to what I should check, etc. to figure out why these 
> customers are being excessively spam-bombed.  This seems to happen 
> maybe once every month or two - then it goes away.
> Phil
If you are using a Linux box, you can simply use iptables to limit-burst 
and connection rate limit at the firewall end on a per-ip basis....


This message has been scanned for viruses and
dangerous content by the Inexcom system Scanner,
and is believed to be clean.
Advanced heuristic mail scanning server [1].

More information about the MailScanner mailing list