Hey all,
I host about 500 domains, and every once in a while I see something where a domain gets hammered for a bunch of non-existent users (in my setup, this results in all the emails going to the same place).
Is there a custom rule that can be kicked in to detect multiple recipients of the same email?
(snip)
I haven't tried the custom rule approach, but I've found increasing success with non SA methods. First, I've got a couple of spamtrap addresses that feed into a script which parses the email, adding the first non local relay into a local RBL (actually into a MySQL DB from which the RBL is automatically built), which is used with spamassassin. It's a bit risky, since there's no human review prior to adding the mail, but I've been careful about what emails become spamtraps.
I wanted to whip up a script to scan the logs and find the biggest offending IPs or IP ranges. In my application, however, I have a central mail hub, with multiple SMTP relays handling external mail (and AV scanning). The external relays were running amavisd-new with dual sendmail. Since the external relays accept for everyone in the local domains the dictionary attacks were a big deal (or a nice feature, since the sending machine didn't gain any information about my user base). Given the volume, it wasn't a trivial task to match the log files on the machines (the mail hub logs that I'm seeing connections to unknown users -- I could use BAD_RCPT_THROTTLE, but all the connections come from my MX servers... D'oh!).
I did switch one of the MX machines to postfix recently. Postfix includes the ability to verify addresses prior to accepting mail, so dictionary attacks can be identified right away. That really cuts down on the quantity of mail sitting in the queue.
Now it's simple to scan the mail log on the MX server for user unknown messages that I can relate to a spam source. Pipe to awk, pipe to sort, pipe uniq -c, pipe to sort again, pipe to head, and I have a top ten list of offenders to double-check and possibly add to a blacklist.
My next step will be to migrate the other MX server to postfix. Right now, It accepts mail for non-existent users, passes them to the mailhub, the hub generates a bounce, and the bounce either sits on the sendmail MX server, or gets rejected by the postfix server.
--Rich
