[Declude.JunkMail] Comments on this ?

[IS - Systems Eng. (Karl Drugge)]

I have a client that is getting HAMMERED by mass SPAM emailings. In excess of 500,000 emails a month are getting deleted on an 80 user network. His Internet connection is totally flooded.  I’ve been working with him over the past 9 months or so and have been trying to track things down to a single spammer or set of spammers.   First, he is the target of the ‘reflected email” attack/delivery system. He was getting loads of these. He still gets these, but only about 100-150,000 a month. The rest are pure garbage items, at a much heavier than normal load of SPAM for a site of his size. What’s curious is that I have been attempting to run MID level logging in order to get the connecting IP’s, reasoning that if I could find the IP ranges, I could blow them off at the firewall and spare DECLUDE from having to process the emails. But, to my surprise, after running a few PERL scripts on the logs, the number of offending IP’s, even listing those with over 50 deletes, is something on the order of over 2,000 ! There are no real ranges that I can find. If I include servers sending 10 emails that DECLUDE deletes, I have over 5 thousand for the month. It’s a massive deluge from thousands of servers sending 4 or 5 emails a day. It’s beginning to look that whoever is sending the mail has hundreds of zombie ‘bots out on the internet and can direct them at will.   Short of telling him he needs to just dump his domain name and get a new one, or co-locate a server upstream at an ISP for Declude, I am out of answers.   Is anyone else seeing this type of attack ? Are Spammers now using zombie ‘bots ?     Karl Drugge     --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.