Joey wrote, at 10/13/2008 05:10 PM: > I can only tell you that in 4 days we have blocked at the firewall level ( > on only 1 server ) > 161,166 connections from Poland > 1,184,747 connections from Turkey > 418,162 connections from Russia > 53,656 connections from Czech > 1,613,636 connections from Asia > 129,428 connections from UK > > Just for reference on one of the other servers 2,193,894 connections from > Turkey. > > I don't think anyone can argue that these numbers are not the pattern of > NORMAL servers, or of legit email. > We maybe support 400-500 users total! No way 1 Million legit messages are > coming in from Turkey today, this week or even this month.
connections != messages Make sure you count the hosts, not the number of packets that were attempted. In many cases, each host is only trying to send one message. Blocking can skew the numbers (but the ones you report are still rather large). Consider that your IP address has become tainted. If you've been using it for a long time (or inherited an IP with a history), there is a possibility that a number of these attempts are automated and not even aimed at your users. In that case, try moving to a new IP address with no SMTP history. You might also monitor the target recipients, to see if an address (or domain) has become an attractor for some reason. This can be done maliciously, and is enough of an excuse to retire the address.
