David, Wow, it's hard to say what it could be, without taking an extensive inventory of your mail and router log files. It could be some sort of hacker/spammer activity. Perhaps someone was running an open relay through your box and you unknowingly shut them down somehow. Hard to say. Either way, I would try to start looking for any similarities in the spam that you are receiving, especially in regards to the originating IP address. You may be able to do enough blocking to bring your traffic back to normal. Putting an IMGATE box in front of Imail would work even better. I certainly recommend some type of antispam filtering, even on the postmaster address. You may be able to set the threshold higher for the postmaster address than for other users, but I wouldn't let EVERYTHING through. Just IMHO though.
William Van Hefner Network Administrator Vantek Communications, Inc. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > David Delbridge > Sent: Tuesday, March 08, 2005 3:38 PM > To: [email protected] > Subject: Re: [IMail Forum] Spam to Root/Postmaster > > > Good question, William. > > It's either an "attack" or a big coincidence. Five weeks > ago, we were > hit by multiple worms/viruses (thanks to a momentary firewall config > error) which devastated us. The spam problem became apparent > as we put > out the other fires. While most of the mess has been cleaned > up, this > mail server continues to logjam every couple of days. This never > happened before. Coincidence? Maybe. > > Of course, I'm so shell-shocked from the whole incident that EVERY > anomoly is an "attack" anymore. Shoot first.... > > Of course, maybe the fixes created new problems. For a brief (and > hectic) time, we had competing virus scanners on the mail server. It > soon became apparent that the "live" scanner was quarantining > mail while > IMail/Declude/F-Prot was still processing it. Perhaps, by the time I > had removed the second scanner, it had "broken" something in Imail? > I've been deleting orphaned files, etc., for weeks. No > change. I can't > imagine what might be askew. > > Dave > > William Van Hefner wrote: > > > David, > > > > What leads you to believe that this is a spam "attack", and > not just > > your everyday spam? Are all of the spams coming from a specific IP > > range, or share any characteristics in common? If so, I > would work on > > a filter that blocks mail based on that criteria. It seems > odd that a > > spammer would just arbitrarily decide to pick on your server like > > that. I would start looking in the actual router logs for > suspicious > > activity on your network. > > > > > > William Van Hefner > > Network Administrator > > Vantek Communications, Inc. > > > > > > > >>-----Original Message----- > >>From: [EMAIL PROTECTED] > >>[mailto:[EMAIL PROTECTED] On Behalf Of > >>David Delbridge > >>Sent: Tuesday, March 08, 2005 10:22 AM > >>To: [email protected] > >>Subject: Re: [IMail Forum] Spam to Root/Postmaster > >> > >> > >>We already employ an anti-spam solution (Declude) but do not > >>impose it > >>on our clients. It is optional, for their convenience and to > >>protect us > >>from liability. > >> > >>Then again, if our customers aren't checking the root > >>accounts, I might > >>as well setup Declude to filter those boxes. But then > again, they'll > >>eventually fill up anyways. Afterall, these are high-volume spam > >>"ATTACKS." The root accounts are receiving thousands of > >>messages per day. > >> > >>Dave > >> > >> > >>mail-lists wrote: > >> > >> > >>> Maybe get an anti spam solution? > >>> > >>>Cavell McDermott > >>>Network Administrator > >>>Cottonwood Financial > >>>972.753.0822 Office > >>>214.403.4918 Cell > >>>http://www.thecashstore.com > >>> > >>> > >>>-----Original Message----- > >>>From: [EMAIL PROTECTED] > >>>[mailto:[EMAIL PROTECTED] On Behalf Of David > >>>Delbridge > >>>Sent: Monday, March 07, 2005 9:54 PM > >>>To: [email protected] > >>>Subject: [IMail Forum] Spam to Root/Postmaster > >>> > >>> > >>>Hi all, > >>> > >>>I host a few hundred e-mail domains and my default "root" and > >>>"postmaster" accounts are suddenly being attacked by > >> > >>spammers, to the > >> > >>>point that a recurring DoS situation occurs. [The root > >> > >>mailboxes fill > >> > >>>up and the mail server then bogs down with "mailbox full" > >> > >>GSE replies to > >> > >>>non-existent spam senders.] > >>> > >>>Should I: > >>> > >>> - Forward postmaster and root mail for all domains to my > "master" > >>>postmaster account? [That's gonna be a LOT of junk mail for me to > >>>personally wade through. We're talkin' tens of thousands > >> > >>of messages > >> > >>>per day.] > >>> > >>> - Delete the unused root and postmaster accounts? [Afterall, > >>>they're > >>>all disabled by default. And this would allow our clients > to setup > >>>their own postmaster forwarder to a working mail address, > >> > >>should they > >> > >>>want to receive mail server alerts.] > >>> > >>> - Rename the root and postmaster accounts? > >>> > >>> - Other options? > >>> > >>>Any advice is greatly appreciated. > >>> > >>>Dave > >>> > >> > >>-- > >> > >>David M. Delbridge > >>Circa 3000 > >>ColdFusion Hosting > >>http://www.circa3k.com > >>866-CIRCA3K (247-2235) > >>Outside U.S: +1.775-832-2445 > >> > >> > >>To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > >>List Archive: > >>http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > >>Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > >> > >> > > > > > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > > List Archive: > > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > > > -- > > David M. Delbridge > Circa 3000 > ColdFusion Hosting > http://www.circa3k.com > 866-CIRCA3K (247-2235) > Outside U.S: +1.775-832-2445 > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
