Hello everyone, I'm running Spamassassin 3.1.7, with netqmail 1.05, ClamAv etc..
We've been subject to being joe-jobbed on one of our domains here at work. We were lucky as we were able to switch off delivery to the affected domain and effectively blocked the blowback by refusing E-Mail from all the Postmasters around the world sending NDR's and so forth to the now non-existent mailboxes. However, This was a far-from-optimal solution, as I'm sure many people will be wanting to point out already, what if we needed that domain to still receipt legitimate E-Mail... We initially tried 'riding out the storm' as it were, but were unable to keep on top of the load put on the servers by excessive E-Mail messages requiring scanning by SA. This got so bad that the mailserver had become unresponsive to our clients. I removed a bunch of our own site rules (which were going to be whittled away anyhow) to decrease the average scantime of E-Mails by Spamassassin - this did work, for about 15 minutes. Then, an average scantime of 4 seconds was not good enough - clients still denied SMTP (too busy). I decided (wrongly) to implement the Vbounce plugin. Read the install doc, got it setup, tested SA with debug and lint, everything appeared to test OK. Put it into practice by reloading SA and then Wang! Average scantimes hit the roof: 38 seconds. Needless to say I disabled the plugin. Although whilst it was running, it did appear to be doing the job correctly according to my mail logs - and there were no errors. So we blocked the domain. I am interested to know the following: Has anyone else had this kind of result when installing the Vbounce plugin? (largely increased scantimes) How might I keep delivery flowing to valid recipients for the domain (smarthosted (smtproutes) to exchange) but reject the blowback at SMTP time? I was considering convincing the powers to let me setup SPF, but their requirement would be to have both v1 and v2 spf tags - and I'm not sure whether Q-Mail is up to both yet, but some kind of SPF implementation where we check the tags (not necessarily publish them) but I guess that's an MTA question:) Thanks in advance for any useful information :) Cheers, Michael Hutchinson