[Mimedefang] Dealing with massive spam burst

[Joseph Brennan]

--On Wednesday, September 8, 2004 6:03 PM +0100 dr john halewood 
<john at unidec.co.uk> wrote:

> hmm....
>    I've had mimedefang+clamav+spamassassin running quite happily here for
> about 18 months or so now, but over the last couple of days have run into
> a  problem. One of our customers has been very severely joe-jobbed, and
> the mass  of NDR's coming back to them is making their primary
> MTA/mimedefang box  crumble under the load (which can peak at a few
> hundred messages a minute  when the spammers kick off).
>   On the grounds that upgrading the hardware isn't something that can be
> done  quickly or easily, can anyone suggest any techniques for reducing
> the load at  such times? I've thought of configuring spamassassin to
> whitelist emails  coming from <> - but that only takes out a certain
> portion of the problem,  and the load from running clamd across each
> incoming mail is still there. The  only other thing I can think of is
> rejecting email to non-existant users  before defang does most of it's
> tests, but that would involve rigging up a  system to verify each user
> against the Exchange system that the mail routes  through to.
>   Any suggestions/clues to what I'm missing very welcome.



If you want to use mail from <> as the trigger, have Mimedefang
check for that and do not run spam_assassin_check() at all.  Note
that by doing this you allow spam from <>, but weigh one problem
against another.  Generally skip Spamassassin when you can.

You might use sendmail config values to control things, like stop
accepting mail over some load average.  It delays mail but keeps
the box running.

Maybe you have to close the user's account, give a new one, and
use sendmail's access.db to reject mail to that particular address
with a message stating what the new address is-- for human senders.


Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York