[Declude.JunkMail] Spam floods

[Scott MacLean]

I have one domain on my server who for a while, had a "nobody" alias in 
place, so it would "accept" any email sent to it, regardless of the 
address. Somehow it has gotten on public "spam lists" - someone generated a 
ton of bogus addresses "@domain.com" (not the real domain, obviously) and 
it's obviously being sent around or sold as part of a spam email list. As a 
result, he was getting almost 10,000 spams a day, most of which were being 
caught by Declude. However, several times a day we would have idiot 
spammers who were connecting and attempting to send 20-30 messages a 
second, which was totally crippling my server.

I had him remove the "nobody" alias, so at least there's no longer the load 
on the server of Declude trying to spam check and virus check every piece 
of spam these idiots were sending. However, at least once a day I still 
have some idiot spammer connecting and crippling my server for half an hour 
or so, attempting to send 20-30 messages a second.

The IP addresses are always spoofed, so I can't block it that way. They tie 
up all available inbound SMTP connections, so the SMTP server appears dead 
to my REAL clients, and any valid mail they should be receiving doesn't get 
through. As well, it puts both CPUs in the server up to 100% rejecting the 
mail, slowing the server down for everyone else.

SMTP logs are filled with thousands of entries like this:

20030227 091017 127.0.0.1       SMTPD (003A0640) [217.82.173.37] RCPT TO: 
<[EMAIL PROTECTED]>
20030227 091017 127.0.0.1       SMTPD (003A0640) [217.82.173.37] ERR 
domain.com invalid user <[EMAIL PROTECTED]
20030227 091017 127.0.0.1       SMTPD (000D0584) [217.82.59.117] RCPT TO: 
<[EMAIL PROTECTED]>
20030227 091017 127.0.0.1       SMTPD (000D0584) [217.82.59.117] ERR 
domain.com invalid user <[EMAIL PROTECTED]
20030227 091017 127.0.0.1       SMTPD (00280604) [217.82.59.117] RCPT TO: 
<[EMAIL PROTECTED]>
20030227 091017 127.0.0.1       SMTPD (00280604) [217.82.59.117] ERR 
domain.com invalid user <[EMAIL PROTECTED]
20030227 091017 127.0.0.1       SMTPD (002D055A) [217.82.173.37] RCPT TO: 
<[EMAIL PROTECTED]>
20030227 091017 127.0.0.1       SMTPD (002D055A) [217.82.173.37] ERR 
domain.com invalid user <[EMAIL PROTECTED]
20030227 091017 127.0.0.1       SMTPD (01650418) [217.81.250.86] RCPT TO: 
<[EMAIL PROTECTED]>
20030227 091017 127.0.0.1       SMTPD (01650418) [217.81.250.86] ERR 
domain.com invalid user <[EMAIL PROTECTED]

Any ideas what I can do about this? Is there anything I can do?
_______________________
Scott MacLean
[EMAIL PROTECTED]
ICQ: 9184011
http://www.nerosoft.com
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.