For the last couple of days, 2 of my clients that my Imail server is a gateway for their Exchange servers have been getting hit with dictionary attack type spam. I have been trying to figure out how they are getting through, even though I keep adjusting the filters.
Finally found, and it is an old problem surfaced again: Hijack. Here is what is happening: Spammer sends dictionary attack type spam to a domain the Imail is doing store and forward for. Since it is considered by Declude to be outgoing, Hijack sees it as outgoing and keeps track of the IP address. The IP hits threshold 1, and is held. The IP does not reach threshold 2, and is released back to the spool, no virus or junkmail scanning. Scott, please please please change the action of Hijack when releasing from hold1 to pass to Virus and then Junkmail for scanning. I would have to bet that spammers know about this, as they troll the list I am sure, and therefore are looking for it. For now, I have had to bump hold1 parameters to above hold2, which I do not like doing, as that causes other issues on busy servers. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
