On 31 Aug 2007, at 13:44, Chris Edwards wrote: > Do you find the same zombie IPs re-connecting sufficiently often to > make this worthwhile ? Or is there an effectively infinite pool of > zombies, each only connecting once ?
In this particular case, they were - in fact they were even opening multiple simultaneous connections (until I dropped smtp_accept_max_per_host from 4 to 1 for off-net hosts) and re- connecting quite aggressively each time a connection was timed out. This, from numerous (dozens, certainly) different IP addresses to multiple mail servers on our side. After I made those changes, the number of concurrent connections began to drop down from being nailed up to the limit as it had been since the attack started, allowing legitimate emails to get through. That said, it does seem a rather ineffective way to send spam - very few of the connections got as far as even attempting to send a message, certainly no more than one or two per hour, per attacking IP. Hopefully they'll stop using that particular code when it proves to be unprofitable (although I can assure you that I'd prefer a much worse fate for the spammers than mere lack of profit...) mrj -- Mark Rigby-Jones, System Operations Manager CI-Net, Network House, Langford Locks, Kidlington, OX5 1GA CI-Net is the trading name for Community Internet plc A company registered in England and Wales number 3155758 t: 01865 856009 m: 07747 862201 e: [EMAIL PROTECTED] w: www.ci-net.com -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
