[Mimedefang] Scary... Filtering on the outbound.
John Scully
jscullylg3 at lifegiver.net
Fri Feb 18 10:39:25 EST 2005
On inbound we are using the same sort of tracking - log and count number of
bad recipients from one IP as a ratio to good recipients during the envelope
stage, we will discard a message before the data stage if it hits 5 bad
receipients with no good ones.
I think others do something similar, because I have seen the average number
of recipients per message keep dropping.
During one dictionary spam run inbound to ONE of our domains we saw 538K "no
such user" events in 75K messages from 24K Ip addresses, with multiple
messages per IP! That is only 22 recipients per IP and a little over 7
per message.
That is one reason we have started using iptables to block at the
interface - think of the denial of service attack 24K infected PCs could do
if they were focused on one domain.
John
----- Original Message -----
From: "David F. Skoll" <dfs at roaringpenguin.com>
To: <mimedefang at lists.roaringpenguin.com>
Sent: Friday, February 18, 2005 7:24 AM
Subject: Re: [Mimedefang] Scary... Filtering on the outbound.
>
> On Thu, 17 Feb 2005, Les Mikesell wrote:
>
>> Are you looking at the number of recipient addresses or the number
>> of messages for this test? Or does the current crop of spam-worms
>> generally send a message per recipient?
>
> Interesting point! I bet ISPs lower MaxRecipientsPerMessage to something
> like 10 or so...
>
> Regards,
>
> David.
> _______________________________________________
> Visit http://www.mimedefang.org and http://www.canit.ca
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>
>
This message scanned for viruses by Lifegiver.net
For more information on our filtered email and dial up internet service please visit http://www.lifegiver.net
More information about the MIMEDefang
mailing list