@mydomain.edu.tr error: sorry no one by that name
(syntax may be off I am writing this from the top of my head)
so it rejects it outright before the mail has to go thru spamassassin, etc.
second thing I did: hack the sendmail source so that when BadRcptThrottle is reached, it closes the connection instead.
Life has been peaceful since :)
-t
David B Funk wrote:
On Wed, 18 May 2005, Jeff Chan wrote:
On Wednesday, May 18, 2005, 12:05:13 AM, Monty Ree wrote:
Hello, all.
When I see maillog, I can see lots of logs like below..
Some spammer send spam mails from [EMAIL PROTECTED] to [EMAIL PROTECTED], I guess.
So mail server load is high to accept this spam and reply with"User
unknown".
Is there any good way or solution against thess series spam?
Thanks in advance.
May 18 15:11:04 mail02 sendmail[22487]: j4I6B4i22487: <[EMAIL PROTECTED]>...
User unknown
May 18 15:11:04 mail02 sendmail[22490]: j4I6B4i22490: <[EMAIL PROTECTED]>...
User unknown
May 18 15:11:04 mail02 sendmail[22493]: j4I6B4i22493: <[EMAIL PROTECTED]>...
User unknown
This is called a "dictionary attack". If you search for that and sendmail, you may find some answers. It's not specifically a SpamAssassin question.
For sendmail, enable the "BadRcptThrottle" threshold. This feature will cause sendmail to rate limit transactions once a specified number of bad recipients have been seen. sendmail will still have to tell the spammers "No No No" but at a slower rate so they don't drive up your server load average. (the default is 20, I've got mine set to 3 ;)
Combine this with ConnectionRateThrottle & MaxDaemonChildren to limit the total simultaneous sessions to prevent your SpamAssassin from being driven into meltdown by these kinds of attacks.
You can also add in dnsbl lists such as xbl.spamhaus.org to block connections by infected PCs at the SMTP level. Lots of this kind of trash is coming from 'bot nets' and can be blocked by good dnsbl lists.
