I was in a similar situation a couple months ago when I took over service for another ISP that had been hosting it's domain with yet another ISP, who had poor spam filtering...
For years, the domain I took over had likely been used for spam, either directly or through backscatter, the result, when I moved the domain was the spam bots followed to my server, which brought it to its knees. SpamDyke to the rescue! As with you, SpamDyke performed perfectly. It's been 2 months now, and the total number of connections has gradually decreased during that time. I was at just under 1 million smtp connections a day, and am now down to around 500K, 99.4% of that is blocked by SpamDyke. This percentage hasn't really changed much, but the quantity of attempts has. My guess is, as the "Spammer", or whoever was controlling the spam bots in my case, or spam bots as the case may be, is slowly figureing out that their spam is no longer getting out...That makes it unprofitable for them, and will make them go elsewhere...In my case, I think several people had used that domain to get their spam out, and, as time is progressing, they are moving on. My guess is, at some point, maybe even just initially, the person using your mail servers was successful, and now that you've blocked them, it may take them a while to figure out that they are no longer succeeding. Another thing I've noticed is that I feel one of their "Techniques" is to inundate a server with so much mail, that more common anti-spam applications, such as Spam Assassin, become overloaded and timeout, causing them to basically be Denial of Serviced. I will occassionally see very large peaks of sudden attempts to send mail to my server. Nearly all of them are denied by SpamDyke, so it has little effect on my server, but previous to SpamDyke, it would likely have bogged it down and gotten past SpamAssassin... Anyway, that's my .02. I think you're just going to have to wait it out...It may take a week or so for the person to find another target...Hopefully, it won't be me. :-) Michael J. Colvin NorCal Internet Services www.norcalisp.com > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Pablo Medina > Sent: Wednesday, May 07, 2008 7:02 PM > To: spamdyke users > Subject: [spamdyke-users] OT: Spambot attack > > Hello. > > Sorry for this off-topic post. I am posting it because most > people on the list are mail server administrators. Also, it > is slightly related to spamdyke so i feel confident some of > you can be of help. > > On March 24, two of our mail servers, (phisically separated, > different countries and networks) started to receive a big > amount of SMTP connections. A quick check revealed that all > the incoming connections had a single account as recipient on > each server. > > As we are using spamdyke on both servers, i quickly added > that email address to the recipient-blacklist file and all > connections were rejected (DENIED_BLACKLISTED and others). > This decreased the load on the servers (as emails were not > being processed) and restored it to a functional state. But > connections were still there. I have seen before this kind of > spambot attacks, and , as all of those stopped sooner or > later, i was hoping it stop on the next hours. The main issue > is that the attack never stopped. We are receiving around > 950,000 connections to that account per day since 30 days ago. > > The stats for the last four days are: > > May 06 943.600 connections. > May 05 993.454 connections. > May 04 840.815 connections. > May 03 1.022.314 connections. > > Different IP address: 75238 > Different class C subnets: 50074 > Different class B subnets: 8936 > > I have selected random addresses to check and IPs are from > different countries (most of them from Asia, but many from Europe) > > This makes impossible for me to contact each network owner to > alert about the situation. So right now, we are relying only > on spamdyke to control the situation. It is doing it's work > great, but i am very concerned by the fact that connections > never decrease nor stop. > > My question is: has anyone experienced this issue before?. > Any advice on how to deal with it?. > > Regards > Pablo > _______________________________________________ > spamdyke-users mailing list > [email protected] > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
