Re: [Mimedefang] Scary... Filtering on the outbound.

[John Scully]

On inbound we are using the same sort of tracking - log and count number of 
bad recipients from one IP as a ratio to good recipients during the envelope 
stage, we will discard a message before the data stage if it hits 5 bad 
receipients with no good ones.

I think others do something similar, because I have seen the average number 
of recipients per message keep dropping.

During one dictionary spam run inbound to ONE of our domains we saw 538K "no 
such user" events in 75K messages from 24K Ip addresses, with multiple 
messages per IP!  That is only   22 recipients per IP and a little over 7 
per message.

That is one reason we have started using iptables to block at the 
interface - think of the denial of service attack 24K infected PCs could do 
if they were focused on one domain.

John
----- Original Message ----- 
From: "David F. Skoll" <[EMAIL PROTECTED]>
To: <mimedefang@lists.roaringpenguin.com>
Sent: Friday, February 18, 2005 7:24 AM
Subject: Re: [Mimedefang] Scary... Filtering on the outbound.


On Thu, 17 Feb 2005, Les Mikesell wrote:
Are you looking at the number of recipient addresses or the number
of messages for this test?  Or does the current crop of spam-worms
generally send a message per recipient?
Interesting point!  I bet ISPs lower MaxRecipientsPerMessage to something
like 10 or so...
Regards,
David.
_______________________________________________
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang


This message scanned for viruses by Lifegiver.net
For more information on our filtered email and dial up internet service please 
visit http://www.lifegiver.net
_______________________________________________
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang