These harvesting attacks need to be blocked at the smtp level, do not continue to let your server deplete it's resources on this bogus mail. If your server doesn't support SMTP blocking, a user on the list recently mentioned that he runs Black Ice Server....try that.
chris -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn \ WCNet Sent: Wednesday, September 20, 2006 3:17 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spam Spike A large spike hit here Monday. Spool processing lagged about 1.5 hours, then got worse late in the night to over 9,000 files in spool and a 5-hr delay. Had to stop SMTP and clear the spool. I've noticed numerous D/T pairs that appear in \spool and hang there for a long time (10-15 mins), locked while SMTP is running. Right now it's 2:15 PM and there's a locked 1K T/D pair time-stamped 1:57 PM. Toggling SMTP leaves them as orphans. A typical D is 1 KB in size and contains something like this Received: from acce.org [82.250.149.205] by wcnet.net (SMTPD32-7.15) id A7977430256; Wed, 20 Sep 2006 12:17:11 -0500 The T is QD:\IMAIL\spool\D7797074302566850.SMD Hwcnet.net WD:\IMAIL E0, S<[EMAIL PROTECTED]> NRCPT TO:<[EMAIL PROTECTED]> The NRCPT TO is a valid hosted mail domain but not a valid user. A few may be to one or more valid users, and a few may have message content in the D whether the user is valid or not. Is this a dictionary probe? What can be done to defend against it? G.Z. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
