First, thanks everyone for your replies - they were very insightful.
The attack was just as Randy said:
>the spam "attack" i experienced was like so:
>tens of thousands of mailservers from all over the world in all
>kinds
>of ip ranges were bouncing spam mails to my server. most of
the
>bounces i looked at were "no such user", "we don't accept
spam", >etc.
The setup is this: A patched qmail using John's combined patch (which
includes the previously mentioned validcrptto patch). rblsmtpd,
qmail-scanner with spamassassin and clamd. I modified the environment
variable for the validrcptto to drop smtp connection after two
unsuccessful validrcptto deliveries.
I agree with Randy's post. I don't think greylisting would have helped.
Since Nov 23, there were 41,000 unique sending IP's. I feel the system
was taxed the same/less than would have been utilizing a greylist.
However, if someone thinks otherwise please let me know.
I only host about 200 domains, but the clients are financial
institutions so I don't know that I want to block whole countries from
connecting.
I think the most fitting solution is to create a secondary vanilla qmail
machine and change the MX record for that domain, that way I don't get
5000 calls of "is the mail server down?".
John, your patches work great but I'm not using your run script - I'll
have to check it out.
Again, thanks everyone for your suggestions and help.
Matt
|