Am I missing something here, on in the case of Hotmail (with 10 MX records), wouldn't you see 960 connection attempts if E-mail is re-tried every 30 minutes for 2 days (which I believe is the default with IMail)?
yes, but you're looking from the POV of the attacker.
MS's edge router sees packet coming from an ip in the dyn.optonline.net block and could simply drop the packet silently. Thst's very cheap for MS to do. One SMTP connection attempt is one MS-dropped packet. nobody's counting 960 dropped TCP packets in the volumes of packets crossing MS routers.
That's still 50K for a single E-mail. Multiply that by a typically spamming of 500,000 E-mails with 5% to Hotmail, and you've got 1 Gigabyte of traffic from that single ISP (assuming, of course, that the spammer's pipe and the mailserver he is using are capable of handling the load, and it doesn't get stopped within the 48 hours).
Compare that to sending back a SYN+ACK, waiting for their ACK, then sending a "5xx" message and closing the connection. Yes, it's more traffic for that one connection, but would use up much less bandwidth.
960 dropped TCP packets isn't much for Microsoft, but 500,000 per hour from just one spammer starts to add up.
you're working at the wrong level. TCP connections are refused at the edge, and the MX ip and above all the SMTPD server app, never see single byte.
True. But all that bandwidth is wasted.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches both viruses and vulnerabilities in E-mail, with no annual licensing fees.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
