I would probably place a Postfix/IMGate box in front of the Imail server at this point. Postfix can deal with this load a lot better than Imail. Use the RBL's on Postfix and let Declude/Imail do what they do best in the weighted tests, filters and so on. This is what we do and it works very well for us.
Our setup has 2 Postfix boxes as MX10 and MX20. They get the brunt of the Internet force. They then pass on to the Imail/Declude/Sniffer box. This last box is not listed as an MX. Sheldon Sheldon Koehler, Owner/Partner http://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! "Whenever you find yourself on the side of the majority, it's time to pause and reflect." Mark Twain ----- Original Message ----- From: "IS - Systems Eng. (Karl Drugge)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, November 07, 2003 8:41 AM Subject: [Declude.JunkMail] Comments on this ? I have a client that is getting HAMMERED by mass SPAM emailings. In excess of 500,000 emails a month are getting deleted on an 80 user network. His Internet connection is totally flooded. I've been working with him over the past 9 months or so and have been trying to track things down to a single spammer or set of spammers. First, he is the target of the 'reflected email" attack/delivery system. He was getting loads of these. He still gets these, but only about 100-150,000 a month. The rest are pure garbage items, at a much heavier than normal load of SPAM for a site of his size. What's curious is that I have been attempting to run MID level logging in order to get the connecting IP's, reasoning that if I could find the IP ranges, I could blow them off at the firewall and spare DECLUDE from having to process the emails. But, to my surprise, after running a few PERL scripts on the logs, the number of offending IP's, even listing those with over 50 deletes, is something on the order of over 2,000 ! There are no real ranges that I can find. If I include servers sending 10 emails that DECLUDE deletes, I have over 5 thousand for the month. It's a massive deluge from thousands of servers sending 4 or 5 emails a day. It's beginning to look that whoever is sending the mail has hundreds of zombie 'bots out on the internet and can direct them at will. Short of telling him he needs to just dump his domain name and get a new one, or co-locate a server upstream at an ISP for Declude, I am out of answers. Is anyone else seeing this type of attack ? Are Spammers now using zombie 'bots ? Karl Drugge --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
