[Dshield] Extreme increase in spam attempts... any one else seeing similar event?

Tony Earnshaw tonni at hetnet.nl
Fri Aug 17 15:57:18 GMT 2007

Chris Phillips skrev, on 17-08-2007 16:25:

> Since yesterday (16 Aug 6pm EDT) I am seeing a HUGE increase in spam 
> activity:
> sed -n '/^Aug 16 18/,$p' /var/log/smtpd.log | egrep 'Not allowed' | wc -l
>    12110
> sed -n '/^Aug 16 18/,$p' /var/log/smtpd.log | egrep 'Not allowed' | 
> egrep UNKNOWN | wc -l
>      480
> (This is less than 24 hours ! )


That sort of thing is very often backscatter from joe jobs, i.e. a bot 
network sending out spam with the smtp 'MAIL FROM:' with one of your 
valid addresses and the receiving MTA bouncing it (as opposed to smtp 
refusing it).

Using a good and *lenient* dnsbl such as zen.spamhaus.org as filter will 
get rid of at least 75% of it. For the rest, my sites use (latest, 
stable) Postfix + amavisd-new that themselves have an enormous anti-UCE 
armory built in. We refuse at least as much shoot as legal mail per day 
with the above.



Tony Earnshaw
Email: tonni at hetnet dot nl

More information about the list mailing list