on 5/10/2012 9:47 AM Les Mikesell spake the following: > On Thu, May 10, 2012 at 10:52 AM, Scott Silva <ssilva at sgvwater.com> wrote: >>> >>> I think you are over-analyzing. The senders are distributed and shift >>> around whether you do anything defensive or not, and if you have ever >>> accepted an address, even years ago with a system like qmail that >>> accepted without checking anything, then tried to bounce bad >>> addresses, those addresses will be on some lists that are re-tried >>> forever no matter how many times you reject them now. I haven't >>> watched this for a while but I used to be surprised that even though >>> the senders were spread over hundreds of IPs, the overall rate seemed >>> to be centrally controlled and in what would look like a dictionary >>> attack the list seemed to be sorted, at least in big chunks, across >>> the senders. >>> >> I would turn that address into a spamtrap and use it to reject on your other >> servers... > > It wasn't 'an address'. It was a dictionary attack to thousands of > user names that don't exist at a few domains. Years ago I had used > an SME server with its stock qmail setup to receive for those domains > - up to the point where accepting/bouncing rejections became > impractical. But by then the addresses must have gotten on some > 'known good' spam list because they had been accepted at least once, > and from then on there was a steady stream of about 50k/day delivery > attempts . For unrelated business reasons we no longer use those > domains but it went on for years and for all I know the list is still > being used. After I switched to receiving with sendmail with all the > real users in virtusertable the rate wasn't a problem - rejects happen > very quickly with only a dbm lookup and a default reject rule. > But still... If you know those addresses are never legitimate anymore, they are perfect to port to a spamtrap, and use for local blocking of those senders...