This has been a problem more than once for me, so I wrote a quick one liner to help sort out trends from the /var/log/secure file.

This script will print out a list of IP addresses that have connected via smtp at least 100 times. This was very useful for me as I found two IP addressed that were filling up my queues with nearly 10,000 messages each over the span of 2 days!




Then all I had to do was add a line to my firewall script to block the IP and load started settling down right away. A line like this worked fine for me:



And no, I dont mind posting the IP

Hope that helps somebody out there.

That rule is dropping traffic on the return side to the spammer. Which works, but you'll get better performance applying that to the INPUT table, like this:

iptables -A INPUT -s 80.99.151.140 -j DROP

Mike and I are working on adding in the TARPIT rule to ASL, which would go one step farther, rather than dropping the traffic, it would slow the session down (and drop it, so it still wont get in). The added bonus there is you effectively tie up the spamming MTA, without tieing up yours.

Typo!

Thanks for the catch

I actually caught it on my end but forgot to update this post. I'll edit my post above for clarity