[svlug] Sudden increase in spam volume

Kevin Smathers kevin at ank.com
Thu Dec 7 12:36:48 PST 2006 

Walt Reed wrote:
>
> <snip>
>   
>> If anyone else is running into this, I'd like to hear what you've 
>> decided to do.
>>     
>
> There are a few options to cut the crap, and different solutions are
> "right for you" depending on your particular situation.
>
> DNSBL (black lists) are probably the easiest to implement, and are
> usually very effective. The idea is to eliminate mail from zombies by
> blocking anything coming from dynamic IP space and other known spam
> sources.
>
> Greylisting is another option that is fairly effective, although some
> people don't like it because it increases the load on legit senders, and
> can slow down delivery of legit mail.
>
>   
My question wasn't about spam that is being delivered, but spam that is 
being refused at the server.

I'm already filtering in all of the standard ways, and in a few ways 
that are non-standard.  Right now I'm running rhsbl and dnsbl checks, 
then whitelisting known senders, and then refuse mail to invalid 
recipients.  These are all fairly inexpensive although I might benefit 
from moving the valid recipient check to the front of the stack.  The 
order it is in now lets the filters run in the same order as the 
protocol elements appear so that I can do an early disconnect when spam 
is encountered. 

Greylisting would be great, but doesn't interact well with some of the 
servers I regularly get good mail from (I encountered Evan Harris' 
whitepaper when doing a search for prior art for a very similar 
technique that we patented a few years ago.)  In fact it is my 
experience with purposely returning SMTP 400 responses as Greylisting 
does that is worrying me about the current spam situation.

After the cheap checks I run spamc which itself checks SURBL, SORBS, 
NJABL, XBL, and SpamCop, as well as the other common rulesets.  Net 
result is I catch all but about 20-30 spams a day which for me turns out 
to be about a 92% reduction in deliverable spam when things are normal.

So I am happy with my spam filtering -- what I'm interested in is if 
anyone else is seeing the same volume increase of spam.  Because of the 
low quality of the spam I'm still only getting 20-30 in my mailbox each 
day, but my server load has jumped from a historical average of about 
600 delivery requests per day, to about 2,200 two days ago, to about 
9,600 today. 

Because of the low quality of the spam, none of this is actually getting 
past the filters, and the load average is between about 0.1 to 0.2 since 
I can kick messages before having to run them through spamassassin, but 
the fork limits in qpsmtpd are set based on a predicted ratio of 
low-quality to high-quality spam, and right now the server is delaying 
SMTP connection requests for good email while dealing with the flood of 
incoming spam connections.

Cheers,
-kls

More information about the Svlug mailing list