At 17:16 17.09.97 +0100, Mario Valente wrote:
There are two distinct problems: one is your local users being hit by spam. I dont mean one or two or ten. I mean when someone gets a hold of your list of users (/etc/passwd or mailing lists or scanning Usenet) or (like we had in the past) have someone create a program to generate all the permutations of 8 letters and try do deliver mail to permutationN@esoterica.pt.
This is one of the worst, in my experience as abuse/postmaster. It's difficult to block mails to our own customers, since we don't really know whether it's a legal mail or not. The chance is not that big, but it's there. One of the nastiest things I've seen, was someone using finger permutationN@site.no to find addresses to spam. It was not _one_ finger-connection... The server wasn't happy with several hundred finger-connections at the same time, and decided to take a vacation.
The other problem is your email server being used as a relay for spamming. Someone delivers mail on your server saying it is destined for somewhere else. Not only do you spend computation and bandwidth resources, but you also appear to be the origin of the spam, and thus get bothered a lot by other sysadms.
This last problem was quite simple to solve, since there are patches and configurations for sendmail to do relay for only a list of machines.
Only, it takes some time to do the neccessary changes, especially when you're acting as secondary mailserver to a lot of domains. :(
The next solution was to block packets coming from those addresses to port 25 of any machine on our network.
That's what we're doing now. Since our router can throw away packets faster than they can send them (usually), it solves most of the problem. Except, of course, new spam-domains pops up every day. We did this to one of the larger American domains (come to think of it, we still do). In approximately 48 hours, we got the following figures: connections to the mailserver that was accepted: 1 200 000 connections refused from that domain: 980 000 connections refused from other known spamdomains: 100 000 I also opened for their mailservers, but there were _no_ connections from those. Not one single try.
This has worked wonders. We still receive unsolicited email, but no more heavy duty spams.
I haven't seen much since we started blocking certain IP-blocks in USA. It was _not_ CyberPromo, since we've been blocking them for several months. -- Med vennlig hilsen/Regards Ina Faye-Lund Telenor Nextel AS