At a midwestern ISP I help out.
The level of (totally ineffective) abuse is mesmerizing.
I should pay this ISP for letting me watch!! :))
Per-Hour Traffic Summary
time received delivered deferred bounced rejected
--------------------------------------------------------------------
0000-0100 5897 2750 8 10 10008
0100-0200 5708 2008 3 8 7863
0200-0300 6008 1740 7 9 11711
0300-0400 5667 1785 5 11 9545
0400-0500 5398 1827 9 9 9146
0500-0600 7623 1625 12 12 11777
!!!!0600-0700 18374 1684 8 8 52111<<<
0700-0800 5389 2153 9 10 11149
0800-0900 6367 3070 6 14 10995
0900-1000 6141 3726 14 12 10307
1000-1100 10112 3841 9 21 24612
1100-1200 11486 3918 16 19 28264
1200-1300 1121 549 0 4 2044
1300-1400 0 0 0 0 0
52k rejects/hour is one reject every 70 milliseconds! :))
And, his new check_recipient_maps at the top of the restrictions list is
working like a champ, from pflogsumm:
User unknown in relay recipient table
8570 dsl-verizon.net
6532 rr.com
6013 telesp.net.br
5180 ameritech.net
4361 rima-tde.net
3545 pacbell.net
3249 att.net
2981 rcn.com
2605 virtua.com.br
2197 ntl.com
2176 veloxzone.com.br
1966 61.242.173.234
1822 211.32.167.204
1643 prodigy.net.mx
1507 alestra.net.mx
1389 jmoritausa.com
1375 covad.net
1347 brasiltelecom.net.br
1196 brdterra.com.br
1174 telepar.net.br
1169 nombres.ttd.es
1076 gte.net
1072 148.243.212.195
1035 209.11.57.103
906 comcast.net
879 btopenworld.com
813 200.37.60.6
805 swbell.net
772 bigpond.net.au
727 210.212.193.199
726 200.55.14.51
714 charter.com
698 bellnexxia.net
etc, etc for 100's of lines.
spam-stats:
1 ACL mta_clients_onedict
1 SMTP Exceeded Hard Error Limit after MAIL
1 ACL from_senders_clueless
3 ACL mta_clients_pipel (pipelining)
5 SMTP invalid [EMAIL PROTECTED]
6 ETRN Mail theft attempt
15 SMTP invalid [EMAIL PROTECTED]
20 ACL mta_clients_relay
23 ACL helo_hostnames
35 ACL body checks
57 ACL to_recipients_dead
72 ACL mta_clients_senders_regexp
145 ACL from_senders_nxdomain
169 ACL mta_clients_bogus
216 SMTP unauthorized pipelining
289 ACL header checks
389 ACL mta_clients_slet
393 ACL from_senders_black
454 ACL unauthorized relay
523 RBL rbl-plus.mail-abuse.org
619 SMTP sender address verification in progress
644 ACL mta_clients_blaksender
746 SMTP Exceeded Hard Error Limit after DATA
803 ACL from_senders_regexp
1049 DNS timeout for MTA PTR hostname (forged @sender.domain)
1514 SMTP sender address undeliverable
2874 DNS nxdomain for MTA PTR hostname (forged @sender.domain)
3035 ACL from_senders_slet
3082 DNS no A/MX for @sender.domain
3159 ACL mta_clients_bw
4338 ACL mta_clients_dead
4960 ACL from_senders_black_regexp
6125 SMTP Exceeded Hard Error Limit after RCPT
11791 SMTP sender address unverifiable
164049 ACL to_relay_recipients unknown recipient
===================================================
211605 TOTAL
And while his SMTPD processes are high:
mx1# ps aux | grep smtpd | wc -l
65
... his 850 Mhz, 1 x ATA66 disk system is hardly breaking a sweat:
# uptime
12:22PM up 34 days, 21:51, 3 users, load averages: 0.01, 0.17, 0.36
For real belly laughs, try that on your evil Imail nobody@ domains or
content-scanning "solutions".
Does anybody need further convincing that the new check_recipient_maps is
worth its weight in gold or that nobody aliases are really bad ideas?
or that mailbox-server-resident content-scanners (as primary defense) are
actually "vulnerabilities" ?
At 12:30 today, his maillog is 635K lines and 103 MBytes.
Is this kind of attack typical? No
Can it happen to you? Yes
Len
