Mark Rigby-Jones wrote: > On 31 Aug 2007, at 13:44, Chris Edwards wrote: > >> Do you find the same zombie IPs re-connecting sufficiently often to >> make this worthwhile ? Or is there an effectively infinite pool of >> zombies, each only connecting once ? >> > > In this particular case, they were - in fact they were even opening > multiple simultaneous connections (until I dropped > smtp_accept_max_per_host from 4 to 1 for off-net hosts) and re- > connecting quite aggressively each time a connection was timed out. > This, from numerous (dozens, certainly) different IP addresses to > multiple mail servers on our side. After I made those changes, the > number of concurrent connections began to drop down from being nailed > up to the limit as it had been since the attack started, allowing > legitimate emails to get through. > > That said, it does seem a rather ineffective way to send spam - very > few of the connections got as far as even attempting to send a > message, certainly no more than one or two per hour, per attacking > IP. Hopefully they'll stop using that particular code when it proves > to be unprofitable (although I can assure you that I'd prefer a much > worse fate for the spammers than mere lack of profit...) > > mrj >
One thing you can do is create a fake highest numbered MX that always returns DEFER that that will get rid of a lot of bot spam and lower your connection count. Bit spam tends to start at the highest MX and doesn't retry. -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
