>Sunday was slow only a 7Mb log file for the mail server, but we have had
>12-15Mb log files. Looking at the files it's looks like someone is
>deliberatly harassing us. They send a block of names from random
>addresses, sites, etc ALL DAY LONG.
Mail bombs and DoS's from random addresses are a bitch to stop.
>What can I do? I can not see a pattern so I can't block addresses at the
>router, I see a partial pattern in some of the names they use. I need
>someone's help to analyze the logs and see what I am missing. I'd really
>like to nail the bastard responsible.
>
>Anyone have some free time to look at multi-megabyte logs, and give me
>some advice ?
"It's too late now" (isn't that a song?) but if you had IMGate out there,
up front duking it out with this sh@t, you could turn on full DNS valiation
(reversing the bullsh@t ip's of the sending MTA, finding no A or MX records
for the "MAIL FROM: [EMAIL PROTECTED]", finding no A or MX records for
the "ehlo/helo hostname", rejecting non-FQHN for ehlo/helo and
@senderdomain) and MAPS lookups, it would mostly get rejected by IMGate
(which doesn't also have to do POP3/IMAP4, SMPT AUTH, and Web messaging
activities like Imail does) and Imail would never see it, and that would
take all that burden off your Imail server so your users could do their
mail work.
But since you don't have it (yet, vbg), all you can do is hope they stop
soon. Keep watching to see if you can block some ip's at the gateway router.
You might temporarily turn on Imail rejects from null senders, but at the
Imail level, there's not much to be done. U ptream from Imail is where to
dig in your heels, if you can.
Len
http://BIND8NT.MEIway.com: ISC BIND 8.2.2 p5 installable binary for NT4
http://IMGate.MEIway.com: Build free, hi-perf, anti-spam mail gateways
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
