North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: anybody else been spammed by "no-ip.com" yet?
On Fri, 3 May 2002 firstname.lastname@example.org wrote: > Do you have data on approximate amount of this extra mail bandwidth due to > spam per user? Actually lets be more exact, can some of you with 10,000 > real user mail accounts reply how much traffic your mail server is using > and if you have spam filter, how much (in percentage) of mail were filters. > And how big were the filterd spam in comparison to all other regular mails? > And if possible how much in amount of disk space was it in comparison to > all other emails? Since sendmail applies our dnsbl rules before accepting the message, I can't say how much bandwidth the blocked spam would have used. On a MX that handles mail for several tens of thousands of actual user accounts, it's not unusual for us to deliver ~400k messages and reject anywhere from 200k-500k messages. A few weeks ago we had a several day period during which we rejected > 1,000,000 messages/day. The rejected numbers can be somewhat inflated though by the 'alphabet spammers'. I'm not sure what else to call them...but these are the people who try to send mail to every conceivable address @yourdomain. If you run a large mail server, you've probably seen them hit you. When they dump their random address spam on an open relay, that relay gets blacklisted pretty quickly, resulting in large numbers of dnsbl rejected messages that would have eventually bounced as 'no such user' bounces, and likely double bounced. Worse, IMO, than the bandwidth issue (mail from/rcpt to/571 doesn't use that much bandwidth), is the mail server load issue. A couple of open relays pounding on our mail servers trying to deliver a truckload of spam someone dumped on them will drive up the load in no time. I'm seriously considering adapting some existing code to watch syslog data and use kernel packet filtering to cut off connectivity for say 24h from IP's after N dnsbl caused rejections in Y minutes. This should reduce load considerably. While typing this I was just watching the log on one mail server and noticed several rejections/sec from mail.ignacio.k12.co.us. That system is an open relay (listed in several blacklists) and has been trying to deliver mail to atlantic.net since last wednesday. We've rejected from them the following numbers of messages: Wed: 82102 Thur: 286861 Fri: 215779 Sat (so far): 62128 -- ---------------------------------------------------------------------- Jon Lewis *email@example.com*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________