> >maybe the was playing with himself and didn't realize the
> >damage he was doing.
>
>His 83000 emails ran from 3 AM 'till 11 PM.
1.15 msg/sec for 20 hours. I think he should explain that.
> >We have imail security set for rely only local domains.
> >this is dangerous and any brain-dead spammer can spam you.
>
>What is the best way to keep this type of activity from reaching our imail
>log file and server?
If one is serious about anti-abuse, "relay for addresses" and
anti-ip-spoofing at border router is first step.
detection: one needs some kind a "maillog surfer" daemon that
accumulates msgs sent and received per each Imail account.
reaction
1. if max "RCPT TO: <recipient@imailhost>" is exceeded per unit of
time, then sound an alarm so the mail amdmin can look at the "Mail
From:" and see if there a pattern of repetition from a sender that
can be used to deny sender access either at the routeer (ip address)
or SMTP level (access denied by mail from or ip address of SMTP
client). The using router or an upstream MTA defense is best becasue
it keeps the cr@p and the defense action out of Imail completely.
2. if max "MAIL FROM: <sender@imailhost>" is exceeded per unit of
time, then raise an alarm so the mail admin can perhaps disable the
Imail account and wait the the account holder to call. :))
Len
http://BIND8NT.MEIway.com: ISC BIND 8.2.2 p5 & 8.2.3 T6B for NT4 & W2K
http://IMGate.MEIway.com: Build free, hi-perf, anti-spam mail gateways
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
