On Wed, 24 Aug 2005, Aroop Maliakkal wrote: > Steve Phillips wrote: > > > Jessica Zhu wrote: > > > >> That's exactly what happened to us. Somebody outside of our > >> organization forged the From: addresses and we became the victim to > >> that. At this point, it seemed that our syslog is so busy to write > >> the maillog that it becomes a heavy process. This morning around 8AM, > >> this drives our system load over 20 and the system becomes slower and > >> slower. Now it seemed the worst time is over. However, I worried with > >> such baounced back volumes increasing, our system can not afford to > >> it finally. > >> > >> > >> All the messages come to random usernames. A lot don't exist. > >> > >> > >>> sendmail to discard those and that will help the flood a bit. If > >>> they're random, you can't block by source and you can't block by > >>> destination. Not good... > >>> > >>> No penalty is severe enough for a spammer. > > in syslog.conf add a - to the start of the filename like so > > > > mail.*<tab><tab><tab>-/var/log/maillog > > > > The - tells syslog not to do an fsync each message and _really_ > > reduces syslog load when it is busy, this will probably bring your > > mail server under a little more control. > > > > The next thing to do is examine the bounce messages and find out where > > this originated and ring them. If this is still ongoing and they have > > not terminated the spammer then add a postmaster redirect for that > > domain temporarily to the postmaster@xxxxxxxxxxxxxxxxxxxx and you will > > find the problem gets fixed usually within hours. > > > > This happened to me with an AOL user spamming using <random > > characters>@internet.co.nz and i was getting a few thousand messages > > an hour comming into my postmaster account, after being told by a > > monkey to "forward the spam to postmaster@xxxxxxx sir !" and refusing > > to discuss the issue I forwarded the 50,000 odd boounces I had > > collected and added a redirect and within about a day it had stopped. > > > > The big trick is to find the originator. - If you need help with this > > them let us know and we can probably track them down for you. > > > Another option is (Just a thought) :- to Null route the mx record of > the domain to which bounce is coming....if it is possible give low ttl > value....It will take some time to get the result in effect because mx > will be cached by most of isps. > > I'm afraid that I cannot do that since a lot of domain is legitimate. Jessica -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
