>Why couldn't one just ACL the offending ip's at the border router? Are the
>attacks from various ISP's?
Yes, here's the Top 30, mostly DSL and cable:
Host/Domain Summary: SMTPD Connections (top 30)
connections time conn. avg./conn. max. time host/domain
----------- ---------- ---------- --------- -----------
12654 32:00:06 9s 247s attbi.com
9489 28:10:58 11s 299s comcast.net
6674 64:16:48 35s 117s rima-tde.net
6359 42:38:47 24s 58s 213.33.101.19
6059 9:26:54 6s 267s hinet.net
5290 18:56:23 13s 64s 210.78.144.4
4752 26:00:32 20s 98s 210.222.6.93
4435 2:53:31 2s 119s xxxxx.net < domain of IMGate
4128 18:41:31 16s 103s t-dialin.net
4038 9:04:34 8s 426s rr.com
3526 11:34:43 12s 251s 61.159.235.36
3282 21:11:20 23s 263s prodigy.net.mx
2968 4:43:52 6s 33s 200.222.209.196
2846 3:57:32 5s 116s yahoo.com
2822 4:07:52 5s 265s 211.162.0.131
2719 11:00:58 15s 271s dsl-verizon.net
2683 8:38:17 12s 102s btopenworld.com
2658 4:16:13 6s 45s 200.141.76.227
2547 18:32:35 26s 269s telesp.net.br
2277 14:51:26 23s 265s adelphia.net
2183 3:52:11 6s 88s swbell.net
2157 10:59:42 18s 255s ocn.ne.jp
2129 10:37:08 18s 97s bbtec.net
2107 12:29:25 21s 265s hkcable.com.hk
2004 12:20:10 22s 136s 012.net.il
1998 6:28:06 12s 89s charter.com
1967 9:05:43 17s 257s blueyonder.co.uk
1900 6:13:03 12s 47s 61.132.89.133
1888 2:26:22 5s 52s tpcper.com
1731 8:55:29 19s 107s bezeqint.net
and that goes of for 100's of IPs.
You can see here AOL's justification in wanting to block all "dynamic"
subnets, and my reasoning in blocking mta_clients_dul.regexp with
/(dsl|cable|client|user|pool|docsis|dial|dhcp|dyn|etc).*\..*\./ 554 ACL
mta_clients_dul Send your outbound mail through the mail server of your ISP
... to kill 99.99% of the abuse, then whitelist the minuscule qty of IPs
legit complainers.
This dictionary attack is not the only crap that comes from those
IPs. They are also huge sources of forged sender.domain and every other
type of abuse. Abuse from these networks will only get worse as DSL and
cable, worldwide, becomes more popular.
what's great about IMGate using check_recipient_maps to block unknown
recipients is that IMGate does it with very little load on IMGate, as seen
by the average STMPD session times, aided by smtpd_hard_error_limit = 2 :
Per-Hour SMTPD Connection Summary
hour connections time conn. avg./conn. max. time
--------------------------------------------------------------------
0000-0100 35610 109:03:59 11s 272s
0100-0200 21272 46:04:52 8s 281s
0200-0300 38512 127:45:55 12s 268s
0300-0400 19685 35:16:43 6s 272s
0400-0500 21940 50:17:14 8s 586s
0500-0600 29657 93:31:34 11s 285s
0600-0700 17235 26:58:46 6s 293s
0700-0800 21554 44:40:50 7s 259s
0800-0900 19859 43:57:53 8s 272s
0900-1000 18434 36:07:39 7s 257s
1000-1100 21569 38:32:58 6s 453s
1100-1200 35510 124:34:55 13s 260s
1200-1300 26171 63:56:26 9s 265s
1300-1400 33237 116:13:01 13s 275s
1400-1500 17778 22:07:16 4s 260s
1500-1600 19351 31:18:53 6s 369s
1600-1700 39735 148:01:25 13s 269s
1700-1800 38355 148:30:27 14s 479s
1800-1900 28918 77:14:58 10s 271s
1900-2000 23543 39:26:38 6s 274s
2000-2100 19042 34:36:49 7s 268s
2100-2200 13086 25:55:04 7s 268s
2200-2300 14068 29:33:13 8s 490s
2300-2400 14330 34:11:57 9s 278s
7804 ACL from_senders_imgfx
24134 SMTP sender address unverifiable
198539 SMTP Exceeded Hard Error Limit after RCPT <<<<<<<<<<<<<
812706 ACL to_relay_recipients unknown recipient
===============================
1090057 TOTAL
Len
