Ken,
Thanks for your help.
You probably are receiving a dictionary scan from infected PC's. Be sure to use rblsmtpd against one or more of the good rbl sites.
I have tried this before write here. So maybe too much rbl's, look:
#!/bin/sh
QMAILDUID=`id -u vpopmail` NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
exec /usr/local/bin/softlimit -m 10000000 \
/usr/local/bin/tcpserver \
-v -H -R -l 0 \
-x /etc/tcprules/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
/usr/local/bin/rblsmtpd -b -C \
-r "list.dsbl.org:Your mail server is listed in DSBL list." \
-r "bl.spamcop.net:Your mail server is listed in Spamcop blocklist." \
-r "relays.ordb.org:Your mail server is an OPEN RELAY (ORDB list)." \
-r "sbl.spamhaus.org:Your mail server is listed in SBL-Spamhaus." \
-r "blackholes.mail-abuse.org: See <http://www.mail-abuse.com/enduserinfo.html>" \
-r "dialups.mail-abuse.org: See <http://www.mail-abuse.com/enduserinfo.html>" \
-t 5 \
/var/qmail/bin/qmail-smtpd \
/var/vpopmail/bin/vchkpw /bin/true 2>&1
Another thing you can do is scan for frequent IP's to bad users in the smtp log files and build new tcp.smtp deny lines.
Yes. That what I'm doing:
4.:deny 12.:deny 130-159.:deny 80-89.:deny and so on...
But there is a way to determine if the spammer are using an account on my server, with password, to do that? So I can change the password and block him.
Thanks, -- Walter.