Michael: Thx for your reply. I guess i will just wait for it to stop.
Meanwhile: spamdyke is by far the best tool i have seen and used to fight spam. Thanks !!! Pablo 2008/5/7 Michael Colvin <[EMAIL PROTECTED]>: > I was in a similar situation a couple months ago when I took over service > for another ISP that had been hosting it's domain with yet another ISP, who > had poor spam filtering... > > For years, the domain I took over had likely been used for spam, either > directly or through backscatter, the result, when I moved the domain was the > spam bots followed to my server, which brought it to its knees. SpamDyke to > the rescue! > > As with you, SpamDyke performed perfectly. It's been 2 months now, and the > total number of connections has gradually decreased during that time. I was > at just under 1 million smtp connections a day, and am now down to around > 500K, 99.4% of that is blocked by SpamDyke. This percentage hasn't really > changed much, but the quantity of attempts has. > > My guess is, as the "Spammer", or whoever was controlling the spam bots in > my case, or spam bots as the case may be, is slowly figureing out that their > spam is no longer getting out...That makes it unprofitable for them, and > will make them go elsewhere...In my case, I think several people had used > that domain to get their spam out, and, as time is progressing, they are > moving on. > > My guess is, at some point, maybe even just initially, the person using your > mail servers was successful, and now that you've blocked them, it may take > them a while to figure out that they are no longer succeeding. > > Another thing I've noticed is that I feel one of their "Techniques" is to > inundate a server with so much mail, that more common anti-spam > applications, such as Spam Assassin, become overloaded and timeout, causing > them to basically be Denial of Serviced. I will occassionally see very > large peaks of sudden attempts to send mail to my server. Nearly all of > them are denied by SpamDyke, so it has little effect on my server, but > previous to SpamDyke, it would likely have bogged it down and gotten past > SpamAssassin... > > Anyway, that's my .02. I think you're just going to have to wait it > out...It may take a week or so for the person to find another > target...Hopefully, it won't be me. :-) > > > > Michael J. Colvin > NorCal Internet Services > www.norcalisp.com > > > > > > > >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Pablo Medina >> Sent: Wednesday, May 07, 2008 7:02 PM >> To: spamdyke users >> Subject: [spamdyke-users] OT: Spambot attack >> >> Hello. >> >> Sorry for this off-topic post. I am posting it because most >> people on the list are mail server administrators. Also, it >> is slightly related to spamdyke so i feel confident some of >> you can be of help. >> >> On March 24, two of our mail servers, (phisically separated, >> different countries and networks) started to receive a big >> amount of SMTP connections. A quick check revealed that all >> the incoming connections had a single account as recipient on >> each server. >> >> As we are using spamdyke on both servers, i quickly added >> that email address to the recipient-blacklist file and all >> connections were rejected (DENIED_BLACKLISTED and others). >> This decreased the load on the servers (as emails were not >> being processed) and restored it to a functional state. But >> connections were still there. I have seen before this kind of >> spambot attacks, and , as all of those stopped sooner or >> later, i was hoping it stop on the next hours. The main issue >> is that the attack never stopped. We are receiving around >> 950,000 connections to that account per day since 30 days ago. >> >> The stats for the last four days are: >> >> May 06 943.600 connections. >> May 05 993.454 connections. >> May 04 840.815 connections. >> May 03 1.022.314 connections. >> >> Different IP address: 75238 >> Different class C subnets: 50074 >> Different class B subnets: 8936 >> >> I have selected random addresses to check and IPs are from >> different countries (most of them from Asia, but many from Europe) >> >> This makes impossible for me to contact each network owner to >> alert about the situation. So right now, we are relying only >> on spamdyke to control the situation. It is doing it's work >> great, but i am very concerned by the fact that connections >> never decrease nor stop. >> >> My question is: has anyone experienced this issue before?. >> Any advice on how to deal with it?. >> >> Regards >> Pablo >> _______________________________________________ >> spamdyke-users mailing list >> [email protected] >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> > > _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
