EXIM killing server Load 100+

[Shadeaux]

I have been forced to stop the exim service. I have ClamAV and Spam Assassin installed. Apparently, one of my domains is bein SPAM'd with a super high volume. The second I restart the EXIM service, the server load goes from 0.3 to 150!! It goes thru the startup process, and once Antirelayd starts, things slow to a stand still, then, after about 4 minutes of waiting, spamd starts, then its done.but the server load climbs and stays at this high level. I have tried to add a setting in the antivirus.exim file, but that did no good. I have tried to suspend the account in question, that did not help either. the only thing that works is to shut down exim. I really need help here. How do I stop this SPAM, or at least kill it once it hits the server?

[forlinuxsupport]

change that domains "default address" - i.e .the catchall to :fail:

That will stop any spam and bogus email addresses.

Setup all the email addresses you need on that domain.

[serversphere]

Plus implement Chirpy's dictionary attack ACL - info @ http://www.configserver.com/free/eximdeny.html

[AndyReed]

I have tried to suspend the account in question, that did not help either. the only thing that works is to shut down exim. I really need help here. How do I stop this SPAM, or at least kill it once it hits the server?

If you have a spammer in-house, the best solution is to track down and to eliminate their script.

[serversphere]

If you have a spammer in-house, the best solution is to track down and to eliminate their script.

Great advice however Shadeaux has pointed out that the problem is incoming spam, not outgoing spam. Shadeaux, in your logs can you see if the spam is consistantly from the same IP range? Perhaps you can either (a) ban the lot in your firewall or (b) talk to your DC about null routing traffic to you from them. If it's from a wide range your only solution will be to suspend the account and see if you can get the dictionary attack script work it's magic.

[sneaky side note] I'm wondering what setting the MX for that given domain to 127.0.0.1 would do - would it push the connection back at the spamming machine, thus nulling traffic? It's early, I was up late and have had no coffee... anyone else think this might be a backhanded way to solve this?

[humble side note] I also just noticed this post is a month old with no reply from the OP. I need to check dates more often...

[AndyReed]

Great advice however Shadeaux has pointed out that the problem is incoming spam, not outgoing spam.

This is not true. You need to read the posting one more time. It is not clear whether it is incoming or outgoing.

It's early, I was up late and have had no coffee...

I think you should drink your coffee before responding

[serversphere]

Wowee, Andy. Hostile today? The person says in the very first sentence of the post that one of their domains is being spammed at a very high volume. Am I giving too much credit to think they might know the difference between incoming and outgoing mail? Maybe. But he says he suspended the account, which would stop any offending scripts from running....