Spam Attacks
Erik Weber
twiztar at gmail.com
Mon Sep 12 08:02:30 IST 2011
On Sun, Sep 11, 2011 at 10:59 PM, Paul Kelly :: Blacknight
<paul at blacknight.com> wrote:
> Hi Guys,
>
> Has anyone noticed a huge increase in smtp slamming recently?
>
> We have a busy mail cluster that has about 80k users. In the last 10 days or so we've seen a huge increase in IPs slamming the mail servers. The really odd thing is that it happens a few times a day and it's really intensive. Mostly the traffic hops off of RBL lookups. As an experiment today I moved 8 domains MX records to a stand alone Postfix box with just zen.spamhaus.org configured on it.
>
> The results are _insane_, a snippet from just today.
>
> Per-Hour Traffic Summary
> ------------------------
> time received delivered deferred bounced rejected
> --------------------------------------------------------------------
>
> 1000-1100 12 0 0 19 1776
> 1100-1200 26 1 0 112 2851
> 1200-1300 25 5 0 54 3256
> 1300-1400 66 1 0 200 13509
> 1400-1500 241 0 0 501 61974
> 1500-1600 229 3 0 520 55902
> 1600-1700 38 1 0 74 3750
> 1700-1800 197 2 0 441 47213
> 1800-1900 302 3 0 638 77602
> 1900-2000 134 6 0 248 38728
> 2000-2100 23 1 0 63 4482
> 2100-2200 169 4 0 216 2786
>
> Is anyone else seeing this?
>
We see the same, namely Wednesday, Thursday and Saturday last week we
had some massive attacks quadrupling our incoming smtp traffic (up
from ~1200msgs/min to roughly ~4000msgs/min).
The typical is that it only lasts for 30-90 minutes but it really mess
up our queues during that period. To what I can see they come from
random ip addresses, have a from address that clearly looks fraud and
the same host connects less than 5 times.
--
Erik
More information about the MailScanner
mailing list