>>>>> "W" == W B Hacker <[EMAIL PROTECTED]> writes:
>> That 99.99% peak figure was reached here during a period of a few >> hours during which we received more than _10 million_ connection >> attempts caused by blowback of all forms, at a domain used only by >> a handful of staff which normally gets a few thousand per day. W> Am I misreading something, or did you just indicate that a W> (hopefully rare!) defect in one of your *own* hosting servers W> cause *your own* MX the grief? Where on earth did you get that idea? The scenario is this: 1) Some spammer (not anywhere near our network) sends out hundreds of millions of spams using random forged addresses at our domain as the envelope sender. These are all sent using the usual compromised enduser hosts. (I've seen indications that some spammers do this routinely, picking a different domain every week or so.) 2) These spams go to millions of mail servers around the world. 3) A large fraction of those servers then immediately try and connect to _our_ MX in order to do one of three things: a) send a bounce (everyone agrees this is bad) b) send a challenge c) do a sender verify callout All of those things look the same to us. (HELO whatever; MAIL FROM:<>; RCPT TO:<[EMAIL PROTECTED]>) Result: we end up receiving 300+ SMTP connections per sec, from millions of different IPs all of which are actually mailservers. Blocking by IP is no help (something like 50% of the traffic last time was from IPs that made only _one_ connection during the extent of the attack). There is nothing else to block on since the connections are not otherwise distinguishable from real traffic. -- Andrew, Supernews http://www.supernews.com -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
