Looking at some logs for a client, and was slightly horrified. This guy runs DECLUDE on a P-3 333mhz machine with 256 meg of RAM, off of half a T-1. He WAS running about 2/3's of this level last month. Keep in mind, he only has 80+/- users. He is getting about 95% kill ratio on his SPAM.
He has been seeing the new 'reflected email DDOS' attack for the last 9 months, and it's getting worse by the week. Email comes in addressed to bogus internal users with a spoofed return address, which SMTP faithfully attempts to 'return' when it finds no such person on the internal network. The emails originate on literally hundreds of remote boxes, so an IP filter is going to be hard to put together. If it wasn't for Declude nuking the email, his Exchange box would be dead by now. Any suggestions I can give him ? About all I have left is to change his Domain name or co-locate his declude box upstream. ------------------------------------------------------------------------ ---- Log file dates from : 09/01/2003 to 09/30/2003 Lines Processed : 2856302 My Mail Server IP : [192.168.254.1] Whitelisted from Internal Server: 8257 CAUTION : You have 3263 WARNINGS/ERRORS in your log file CAUTION : You have 2208 corrupt lines in your log file Total Messages Logged : 493894 Unique SMTP ID's Logged : 237236 * ACTIONS LOGGED * COUNT **** PERCENTAGE ****************************** White Listed : 11535 2.3 2REALLYBADMAIL : 8074 1.6 DELETETHEMAIL : 432363 87.5 HOLDTHEMAIL : 18536 3.8 PASSTHEMAIL : 21282 4.3 REALLYBADMAIL : 8073 1.6 * TESTS LOGGED *** COUNT **** PERCENTAGE ****************************** 2REVDNS : 169233 34.3 BADHEADERS : 311715 63.1 BADTO : 167839 34.0 BADTO2 : 115170 23.3 BADTO3 : 111045 22.5 BASE64 : 46344 9.4 BLACKLIST : 23354 4.7 BLACKLIST2 : 2690 0.5 DELETEWORDS : 31476 6.4 DELETEWORDS2 : 11753 2.4 FILTERWORDS : 261118 52.9 IPBLACKLIST : 1241 0.3 MAILFROM : 9903 2.0 NOABUSE : 167559 33.9 NOPOSTMASTER : 178892 36.2 PERCENT : 7 0.0 REVDNS : 169253 34.3 ROUTING : 168876 34.2 SPAMCOP : 360729 73.0 SPAMHEADERS : 36439 7.4 WHITELST : 4122 0.8 ************************************************************************ ** --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
