>We have been hit very hard lately.
>
>Last week we had 350,000 files in /spool.
That is pretty bad. Are you not able to use "Relay for Addresses" or "No
mail relay" options?
>I need to make sure I am reading my log files correctly.
>
>One day I counted over 17,000 spam emails: FROM:<[EMAIL PROTECTED]> from
>one source.
>
>The way I counted was to replace the from email address with other text
>via MS Word.
An easier way is to go to the command prompt and type:
FIND "MAIL FROM:<[EMAIL PROTECTED]>" sys####.log /C
This will give you an exact count of the total occurrences. To see all the
E-mail sent from a specific IP address (since many spammers will
occasionally alternate the "MAIL FROM" address), you can use:
FIND "[1.2.3.4] RCPT TO:" sys####.log /C
>Question is: does each email address that I replaced:
>FROM:<[EMAIL PROTECTED]> equal one SPAM email?
It depends on how you are counting them. Are you looking for the total
number of E-mails received, or the total number sent? The spammer will
usually send you one copy of the E-mail for about every 20 recipients. So
the 17,000 "MAIL FROM" count would equal 34,000 files in the queue (one "Q"
file with the recipients listed, and one "D" file with the E-mail itself),
but about 350,000 outgoing E-mails (but it could be as few as 17,000
outgoing E-mails or as many as millions, depending on the number of
recipients per E-mail). The "RCPT TO:" count will give you the number of
outgoing E-mails that they are attempting to deliver.
-Scott
---
Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for
IMail. http://www.declude.com
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
