I mentioned the spam attack a few posts ago and I thought I would send a quick update on the status.
All is calm and working normally.
Here’s the step among many that made the biggest difference:
- I imported my SMTP logs into MS Access for analysis (too many records for Excel to handle)
- Created a query that filtered by sc-status, searching for 550 which corresponds to a relay attempt (201,759 of those!)
- Designed another query based on the first one that does a count(ip-address) and groups by ip also. This gave me my top offending IP addresses
- Ran the top 20 offenders through the spam database lookup aggregator at DNSstuff.com, for instance: http://www.dnsstuff.com/tools/ip4r.ch?ip=18.104.22.168 and compiled a list of matching blocking list providers and looked for commonalities. Figured out that the CBL, the Composite Blocking List had almost all of my offenders listed.
- So I added their query zone, cbl.abuseat.org, to my Exchange server and bingo, 90% of my attacks were thwarted right off the bat.
I know this isn’t the most exciting reading, but this just worked so well I had to share it in the hopes that it helps others.