CoreyH Founder and CTO: RecordSetter. Dad to 6yr old boy, 3yr girl. Husband to @ewphoto

24May/060

spam update

I mentioned the spam attack a few posts ago and I thought I would send a quick update on the status.

All is calm and working normally.

Here’s the step among many that made the biggest difference:

  1. I imported my SMTP logs into MS Access for analysis (too many records for Excel to handle)
  2. Created a query that filtered by sc-status, searching for 550 which corresponds to a relay attempt (201,759 of those!)
  3. Designed another query based on the first one that does a count(ip-address) and groups by ip also. This gave me my top offending IP addresses
  4. Ran the top 20 offenders through the spam database lookup aggregator at DNSstuff.com, for instance: http://www.dnsstuff.com/tools/ip4r.ch?ip=59.145.147.53 and compiled a list of matching blocking list providers and looked for commonalities. Figured out that the CBL, the Composite Blocking List had almost all of my offenders listed.
  5. So I added their query zone, cbl.abuseat.org, to my Exchange server and bingo, 90% of my attacks were thwarted right off the bat.

I know this isn’t the most exciting reading, but this just worked so well I had to share it in the hopes that it helps others.

Share Button