SAV probes are little less than content free spam. I have firewall rules for offenders who don't cache their SAV results for a reasonable amount of time.
We get hammered by these non-stop. We don't have rules targeting them specifically, but the badly-behaved ones dig their own virtual graves.
You see, we limit the number of concurrent connections a host can make to our mail server. Once they use up all their alloted connections on our primary MX, instead of doing something sensible, like noticing that they're trying to open a zillion simultaneous connections to the same server (all to verify the same forged address), they just drop to the next MX, use up those connections and drop to the next....
Eventually they get down to our ultra-low priority decoy MX that we set up to attract spammers, and they land in our tar pit.
-- Kelson Vibber SpeedGate Communications <www.speed.net> _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
