For phase 2, I installed a tarpit/teergrube script on that machine. It took a while for anything but IP addresses to start showing up in the logs, but what I found was surprising: nearly every connection was sent from "<>" to an invalid user! (The exception looked like actual spam.)
After a little digging, I think I know why: it's because we've enabled rate limiting and connection limiting on our primary.
We get a ridiculous number of bounces to and probes for random forged accounts. Many of the systems sending these are not well-behaved: they'll open up as many simultaneous connections as they can, and they'll resend with delays as short as one second. So they quickly run into our connection and rate limits (hooray for Sendmail 8.13!)...and immediately start hammering the secondary. And when they hit the limits on the secondary, they start hitting the tarpit.
I'll be turning it off over the weekend -- if nothing else, I have to make adjustments to turn off tarpitting in the (unlikely, I hope) event that both real servers go down -- but it does make me wonder whether rate limiting and dummy MXes are really compatible ideas.
It really surprises me how long some of these servers will stay connected just to deliver an invalid bounce. And these aren't the ones I really *wanted* to tarpit anyway (though they're annoying enough in their own right).
-- Kelson Vibber SpeedGate Communications <www.speed.net>
