Not so much a question about JAMES but a question for the community regarding an increased server load due to what I believe is some malicious activity. For the past 4 days my JAMES server has been coping with ~25,000-30,000 connections and spooling 15,000-20,000 emails.
Here is what I think is happening: 1. Malicious party is sending bulk email to recipients around the globe, pretending to be sending from one of my domains 2. The recipients MTAs are bouncing these unwanted, undeliverable mails back to my server When these mails arrive at JAMES a small percentage are marked as SPAM but the majority are 'Local Address Error' as the 'original' sender does not exist. Sample in the servers log (________________ == my domain, removed from this email: -----8<------ 22/12/06 12:47:39 INFO smtpserver: Connection from 81-208-57-142.ip.fastwebnet.it (81.208.57.142) 22/12/06 12:47:40 INFO smtpserver: Connection from dslstatic14.ctcinet.com (72.20.66.79) 22/12/06 12:47:41 INFO smtpserver: Connection from mail.gartner.tv (64.60.40.66) 22/12/06 12:47:41 INFO smtpserver: executing message handlers 22/12/06 12:47:41 INFO smtpserver: sending mail 22/12/06 12:47:41 INFO smtpserver: Successfully spooled mail Mail1166755661386-20 from null on 72.20.66.79 for [EMAIL PROTECTED] 22/12/06 12:47:41 INFO smtpserver: executing message handlers 22/12/06 12:47:41 INFO smtpserver: sending mail 22/12/06 12:47:41 INFO smtpserver: Successfully spooled mail Mail1166755661258-19 from null on 81.208.57.142 for [EMAIL PROTECTED] 22/12/06 12:47:41 INFO smtpserver: executing message handlers 22/12/06 12:47:41 INFO smtpserver: sending mail 22/12/06 12:47:41 INFO smtpserver: Successfully spooled mail Mail1166755661717-21 from null on 64.60.40.66 for [EMAIL PROTECTED] 22/12/06 12:47:43 INFO smtpserver: Connection from mail.acmcentral.com (63.230.36.2) 22/12/06 12:47:44 INFO smtpserver: executing message handlers 22/12/06 12:47:44 INFO smtpserver: sending mail 22/12/06 12:47:44 INFO smtpserver: Successfully spooled mail Mail1166755664143-22 from null on 63.230.36.2 for [EMAIL PROTECTED] 22/12/06 12:47:46 INFO smtpserver: Connection from 81.80.97.20 (81.80.97.20) 22/12/06 12:47:47 INFO smtpserver: Connection from securechat.inventsales.com (142.176.67.180) 22/12/06 12:47:47 INFO smtpserver: Connection from mail02.tveyes.com (160.79.251.45) 22/12/06 12:47:47 INFO smtpserver: executing message handlers 22/12/06 12:47:47 INFO smtpserver: sending mail 22/12/06 12:47:47 INFO smtpserver: Successfully spooled mail Mail1166755667775-24 from null on 142.176.67.180 for [EMAIL PROTECTED] -----8<------ - 'Original' sender always takes the same form [EMAIL PROTECTED] - always coming back as null which is correct bounce reply format?? - each message contains 'Undeliverable' message What I have in place already: - Correct SPF record for this and all my mail-sending domains - Checked to see if JAMES or sendmail (I route sendmail into JAMES for system messages etc) are sending this mail out, which they are not as far as I can see by logs and reports - Switch local address error processor to Null these emails to stop the disk space consumption - Connections are left as default (consequently lots of max connections messages showing up in logs, but the lesser of two evils as far as I am concerned) On a positive note: - JAMES is quite happily trotting along, handling it all with grace. So I am putting this out there to the community now to see where I should go from here. Any and all responses are welcome. Regards MB --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
