[Mimedefang] Need advise on how to proceed.

[Brian McGraw]

Hello list,

I need some advise on how to proceed.  My organization has been getting 
crushed by dictionary (or Rumplestiltskin, if you will) attacks.  Up 
until about two weeks ago,  the situation was manageable. But now,  the 
volume of traffic is growing out of control.  The attacks are beginning 
to slow down not only our mail server, but the company's T-1, as well.  
I just recently starting using a DNSRBL to help filter traffic,  but I'm 
not sure that it is really helping.  I guess what I really need to know is:

1. When does the DNSRBL checking happen? 

I've integrated the checks into Sendmail, not MD or SA.

2. Do the DNSRBL checks happen before, or do they prevent, Sendmail from 
checking to see whether the recipient addresses of real or not?

The reason I ask is that I believe a large part of what is slowing us 
down is all the "User unknown" replies generated by the dictionary 
attacks. Turning off the replies is not an option, unfortunately. Also, 
if a spammer sends a piece of mail with 50 people CC'd, and the DNSRBL 
decides that sender is a spammer, does the rejection error get sent to 
the sender once, or once for each person he CC'd?

I've also tried using the throttling technique in Sendmail to slow these 
attacks,  but it doesn't really seem to have helped.  Is there anything 
I'm missing?  Are there any options available in MD to help put a stop 
to the attacks?

THanks for any help,
Brian