On 9/23/07, Peter N. M. Hansteen <[EMAIL PROTECTED]> wrote: > "patrick keshishian" <[EMAIL PROTECTED]> writes: > > > I'm running spamdb in greylist mode, but these servers were > > getting white-listed very quickly. > > Then it sounds almost like you were running with a too short passtime, > but then that's easy to adjust.
The default (which I believe is 25 minutes). > > At around 1:40 PM (PDT) my SMTP server started getting flooded > > by enormous amount of connections. The connections were for > > seemingly random "users" @my-domain-name. > > We've been seeing a lot of that here, too. Mostly it's a few (maybe > 20) a day to the most widely known domain here, then occasionally > somebody pushes the "generate" button for too long and one domain > almost nobody actually uses gets the bouces for 700+ fake > addresses[1]. Bob Beck's greyscanner is rather effective, as is the > more manual methods I've blogged about the observations quite a bit, > starting with [2]. I have just re-opened my SMTP port which I had shut since 1440 Sunday. Not 1 hour has passed yet and my GREY list is almost at 300. I've added about 250 (count at the time) bogus emails to the greytrap list but since they are unique I don't think it will help the situation much. I'm very certain right now, this flood is due to a spammer using these fake addresses @my-domain-name to spam these mail server (all around the world -- Japan, South America, US, Germany, Ireland, etc...) and I'm getting the brunt of it in the form of these bounced messages. At this point I think I have no other choice but to wait out the "storm". > Short summary for those who are not too interested in blog posts: I > started seeing more than the usual amount of bounce activity in my > mail server log summaries, close enough to what you describe. So > after a bit of thinking and log browsing I decided this was generated > mainly by misconfigured mail servers bouncing spam. Then I decided I > wanted to do an experiment, to see if I could poison the well and at > the same time get a feel for the data I was collecting. When you speak of "misconfigured mail servers bouncing spam", what exactly is a "proper configured mail server" supposed to do with spam directed at non-existing user @their-host-name? Just curious. FYI, as of now my: - GREY list count is 342 (and growing) - unique bogus email count is 341 - ESTABLISHED spamd connection count is 63 (and growing) This is not fun :-\ > I started publishing the fake addresses on a web page[3] as well as > entering them into the list of trap addresses. I've been seeing > evidence that the addresses are actually being harvested and used as > to-be-spammed addresses too: addresses which are all uppercase on the > web page turning up in the spamd logs and greylist dumps in all > lowercase, addresses which have been on my flypaper list for months > turn up all the time, and we see a steadily growing number of hosts in > TRAPPED state. > > My users here are not getting any more spam than they used to (as > close as does not matter to none), false positives are pretty much an > unknown, and it looks like we're succeeding in making the spammers > work harder. > > [1] > http://bsdly.blogspot.com/2007/08/lady-in-distress-or-then-again-maybe.html > [2] http://bsdly.blogspot.com/2007/07/hey-spammer-heres-list-for-you.html > [3] http://www.bsdly.net/~peter/traplist.html
