RE: [Declude.JunkMail] Spam Spike
I run Blackice Server on the mail server. It drops the connecting IP if we receive more than a user specified number of attempts for non-existent email addresses within a user specified time limit. It then blocks that IP for a user specified amount of time before removing the block. It prevents email address harvesting from our server. Not bad for a product that cost about $200 if I recall correctly. A side benefit is that it stores a text file with the hostname/IP address in a folder for every blocked IP. Over time, I can see patterns and permanently block those IP ranges in my firewall if I so desire. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Anton Sent: Tuesday, September 19, 2006 1:02 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spam Spike Darrell, We are averaging 40 to 50% on the processor. I was just surprised because in 3 years we haven't seen a spike this large. Most of them are dictionary style. But since they aren't from the same IP, I don't think the imail 2006 dictionary feature would help us. Thoughts? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam Spike
A large spike hit here Monday. Spool processing lagged about 1.5 hours, then got worse late in the night to over 9,000 files in spool and a 5-hr delay. Had to stop SMTP and clear the spool. I've noticed numerous D/T pairs that appear in \spool and hang there for a long time (10-15 mins), locked while SMTP is running. Right now it's 2:15 PM and there's a locked 1K T/D pair time-stamped 1:57 PM. Toggling SMTP leaves them as orphans. A typical D is 1 KB in size and contains something like this Received: from acce.org [82.250.149.205] by wcnet.net (SMTPD32-7.15) id A7977430256; Wed, 20 Sep 2006 12:17:11 -0500 The T is QD:\IMAIL\spool\D7797074302566850.SMD Hwcnet.net WD:\IMAIL E0, S[EMAIL PROTECTED] NRCPT TO:[EMAIL PROTECTED] The NRCPT TO is a valid hosted mail domain but not a valid user. A few may be to one or more valid users, and a few may have message content in the D whether the user is valid or not. Is this a dictionary probe? What can be done to defend against it? G.Z. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam Spike
These harvesting attacks need to be blocked at the smtp level, do not continue to let your server deplete it's resources on this bogus mail. If your server doesn't support SMTP blocking, a user on the list recently mentioned that he runs Black Ice Servertry that. chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn \ WCNet Sent: Wednesday, September 20, 2006 3:17 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spam Spike A large spike hit here Monday. Spool processing lagged about 1.5 hours, then got worse late in the night to over 9,000 files in spool and a 5-hr delay. Had to stop SMTP and clear the spool. I've noticed numerous D/T pairs that appear in \spool and hang there for a long time (10-15 mins), locked while SMTP is running. Right now it's 2:15 PM and there's a locked 1K T/D pair time-stamped 1:57 PM. Toggling SMTP leaves them as orphans. A typical D is 1 KB in size and contains something like this Received: from acce.org [82.250.149.205] by wcnet.net (SMTPD32-7.15) id A7977430256; Wed, 20 Sep 2006 12:17:11 -0500 The T is QD:\IMAIL\spool\D7797074302566850.SMD Hwcnet.net WD:\IMAIL E0, S[EMAIL PROTECTED] NRCPT TO:[EMAIL PROTECTED] The NRCPT TO is a valid hosted mail domain but not a valid user. A few may be to one or more valid users, and a few may have message content in the D whether the user is valid or not. Is this a dictionary probe? What can be done to defend against it? G.Z. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam Spike
How tricky is it to configure this? Current price I find is $300. G.Z. - Original Message - From: Dave Beckstrom [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, September 20, 2006 1:08 PM Subject: RE: [Declude.JunkMail] Spam Spike I run Blackice Server on the mail server. It drops the connecting IP if we receive more than a user specified number of attempts for non-existent email addresses within a user specified time limit. It then blocks that IP for a user specified amount of time before removing the block. It prevents email address harvesting from our server. Not bad for a product that cost about $200 if I recall correctly. A side benefit is that it stores a text file with the hostname/IP address in a folder for every blocked IP. Over time, I can see patterns and permanently block those IP ranges in my firewall if I so desire. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Anton Sent: Tuesday, September 19, 2006 1:02 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spam Spike Darrell, We are averaging 40 to 50% on the processor. I was just surprised because in 3 years we haven't seen a spike this large. Most of them are dictionary style. But since they aren't from the same IP, I don't think the imail 2006 dictionary feature would help us. Thoughts? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam Spike
I just bought it and installed it one of my mail servers and its pretty good. Worth 300 bucks. Easy install easy to configure. Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com E : [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn \ WCNet Sent: Wednesday, September 20, 2006 10:15 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spam Spike How tricky is it to configure this? Current price I find is $300. G.Z. - Original Message - From: Dave Beckstrom [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, September 20, 2006 1:08 PM Subject: RE: [Declude.JunkMail] Spam Spike I run Blackice Server on the mail server. It drops the connecting IP if we receive more than a user specified number of attempts for non-existent email addresses within a user specified time limit. It then blocks that IP for a user specified amount of time before removing the block. It prevents email address harvesting from our server. Not bad for a product that cost about $200 if I recall correctly. A side benefit is that it stores a text file with the hostname/IP address in a folder for every blocked IP. Over time, I can see patterns and permanently block those IP ranges in my firewall if I so desire. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Anton Sent: Tuesday, September 19, 2006 1:02 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spam Spike Darrell, We are averaging 40 to 50% on the processor. I was just surprised because in 3 years we haven't seen a spike this large. Most of them are dictionary style. But since they aren't from the same IP, I don't think the imail 2006 dictionary feature would help us. Thoughts? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam Spike
Comment's inline, Darrell Chris Anton writes: 1) Has anyone experienced recent spikes like this? How can I reasonably handle this? Yes, we have very often see signifigant swings in spam. How to handle it is a good question. That typically depends on what the spam campaign is. We have found recipient address validation helps the most. We than do analysis (using DLAnalyzer IP reports) and find the IP addresses who send the most spam and block those. I have run several analytics and found that these emails are not targeting a specific user or specific domain. Additionally, there are no blocks of IPs that are responsible. Is it spam going to valid users? Or just your generic dictionary attacks? 2) What are the realistic limits of Imail / Declude / Message Sniffer (I KNOW this is platform specific, just looking for ballpark). 3) What can I do to squeze out more juice from this server? Software: IMail 8.22 (because we are still scared of 2006), Declude Virus and Junkmail 2.0.6, and Sniffer most recent version Hardware: Windows Server 2003 box with a 3 ghz XEON, and 1 Gig ram. On some of the server I maintain we are doing 150K messages a day on a dual xeon 2.6ghz. With no issues (invURIBL, Sniffer). What is your current CPU usage like? Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam Spike
Hi Chris, You should also consider using declude hijack even though that only catches spammers using the smtp server. It only takes 1 idiot client to make the password easy to guess and bang, spammer sits and uses your server without you really knowing until you get blacklisted. Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com E : [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, September 19, 2006 7:36 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spam Spike Comment's inline, Darrell Chris Anton writes: 1) Has anyone experienced recent spikes like this? How can I reasonably handle this? Yes, we have very often see signifigant swings in spam. How to handle it is a good question. That typically depends on what the spam campaign is. We have found recipient address validation helps the most. We than do analysis (using DLAnalyzer IP reports) and find the IP addresses who send the most spam and block those. I have run several analytics and found that these emails are not targeting a specific user or specific domain. Additionally, there are no blocks of IPs that are responsible. Is it spam going to valid users? Or just your generic dictionary attacks? 2) What are the realistic limits of Imail / Declude / Message Sniffer (I KNOW this is platform specific, just looking for ballpark). 3) What can I do to squeze out more juice from this server? Software: IMail 8.22 (because we are still scared of 2006), Declude Virus and Junkmail 2.0.6, and Sniffer most recent version Hardware: Windows Server 2003 box with a 3 ghz XEON, and 1 Gig ram. On some of the server I maintain we are doing 150K messages a day on a dual xeon 2.6ghz. With no issues (invURIBL, Sniffer). What is your current CPU usage like? Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam Spike
Darrell, We are averaging 40 to 50% on the processor. I was just surprised because in 3 years we haven't seen a spike this large. Most of them are dictionary style. But since they aren't from the same IP, I don't think the imail 2006 dictionary feature would help us. Thoughts? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam Spike
I say about 25% more spam yesterday than last Monday (9-11) - Original Message - From: Chris Anton [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Tuesday, September 19, 2006 11:31 AM Subject: [Declude.JunkMail] Spam Spike Hi All, We have recently gone from processing 30,000 emails daily to 85,000 daily. 75,000 are getting caught by Declude Message Sniffer (I love this combo). There are a total of 300,000 attempted RCPT TOs daily. 1) Has anyone experienced recent spikes like this? How can I reasonably handle this? I have run several analytics and found that these emails are not targeting a specific user or specific domain. Additionally, there are no blocks of IPs that are responsible. 2) What are the realistic limits of Imail / Declude / Message Sniffer (I KNOW this is platform specific, just looking for ballpark). 3) What can I do to squeze out more juice from this server? Software: IMail 8.22 (because we are still scared of 2006), Declude Virus and Junkmail 2.0.6, and Sniffer most recent version Hardware: Windows Server 2003 box with a 3 ghz XEON, and 1 Gig ram. Thanks for the help! -Chris -- Best Regards, Chris Anton Web Solutions, Inc. Tel: 203-235- x25 [EMAIL PROTECTED] www.websolutions.net -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam Spike
Getting pelted here... Mostly from cinci.rr.com... Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Tuesday, September 19, 2006 2:29 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spam Spike I say about 25% more spam yesterday than last Monday (9-11) - Original Message - From: Chris Anton [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Tuesday, September 19, 2006 11:31 AM Subject: [Declude.JunkMail] Spam Spike Hi All, We have recently gone from processing 30,000 emails daily to 85,000 daily. 75,000 are getting caught by Declude Message Sniffer (I love this combo). There are a total of 300,000 attempted RCPT TOs daily. 1) Has anyone experienced recent spikes like this? How can I reasonably handle this? I have run several analytics and found that these emails are not targeting a specific user or specific domain. Additionally, there are no blocks of IPs that are responsible. 2) What are the realistic limits of Imail / Declude / Message Sniffer (I KNOW this is platform specific, just looking for ballpark). 3) What can I do to squeze out more juice from this server? Software: IMail 8.22 (because we are still scared of 2006), Declude Virus and Junkmail 2.0.6, and Sniffer most recent version Hardware: Windows Server 2003 box with a 3 ghz XEON, and 1 Gig ram. Thanks for the help! -Chris -- Best Regards, Chris Anton Web Solutions, Inc. Tel: 203-235- x25 [EMAIL PROTECTED] www.websolutions.net -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam Spike
Chris, Are the bulk of your users local to the server or gatewayed? Darrell --- invURIBL - Stop spam at its source.. SURBL/URIBL integration with Declude. http://www.invariantsystems.com Chris Anton writes: Darrell, We are averaging 40 to 50% on the processor. I was just surprised because in 3 years we haven't seen a spike this large. Most of them are dictionary style. But since they aren't from the same IP, I don't think the imail 2006 dictionary feature would help us. Thoughts? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam Spike
Hi Darrell, 80% of our users are local, 10% are Gatewayed, 10% are remote. The 85,000 daily are inbound. -Chris --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
