"Alan J. Flavell" <a.flavell@???> said, in message
Pine.LNX.4.62.0509291245520.16136@???:
> On Thu, 29 Sep 2005, Alun wrote:
>
> > My ACL says:
>
> For clarification please - is this at HELO time?
Yes.
I can't say I've noticed particularly aggressive retries, but
then my numbers do seem to be rather higher than others have
quoted. Hang on, I'll look through the logs...
OK... 10,628 unique IPs have been hit by the ACL this week.
7383 tried once only.
9947 tried 4 or less times (we have 4 IPs involved in our MX record,
so I think that's a reasonable threshold for a hit and run spammer).
I don't know what would count as aggressive, but taking a threshold
of 100 or more attempts this week gives us only 29 hosts, accounting
for 7783 attempts.
One host has tried 784 times this week, but that's been
spread over the entire week.
The most aggressive retries from a single host came at the rate of 23 per
minute, but only lasted for one minute, and I can live with that :-)
> I have to admit that we didn't review what would happen nowadays if we
> moved the rejection back to the earlier phase. We just left it where
> it was.
It looks to me like things have changed. On the figures above, I reckon
we're probably wasting less local resources dropping after HELO than we
would rejecting after each RCPT.
Cheers,
Alun.
--
Alun Jones auj@???
Systems Support, (01970) 62 2494
Information Services,
University of Wales, Aberystwyth
