Mark [1] just alerted me that he blocked an IP (Internet Protocol) address because it was attempting to spam us. Or rather, it was attempting to spam all sorts of addresses to conman.org [2]. Over 200 attempts in the past month.
I then started going through the mail logs, and I found all sorts of fun stuff. Mr. Spammer trying various userids. Then there was the spammer that attempted to mail the same invalid address nearly 300 times. I also noticed that spammers were queueing mail up at our backup MX (Mail eXchange) servers, which not only loads our system up rejecting such mail, but loads our backup MX servers in accepting such mail to begin with.
Mark and I discussed the issue a bit and we came up with a few ideas of lessening the load. One idea was to add a module to Postfix [3] (since not only do we use that, but both our backup MX servers use it as well) to monitor rejected addresses and if a single IP address attempts to deliver to too many bogus addresses, automatically block access from that address for a period of time (both the number of attempts, and the length of time of the block would be configurable).
The other problem is spam sent to bogus addresses at the backup MX servers; they have no idea which addresses are valid and which aren't, so all mail is accepted and queued up for final delivery. To get around that problem, another module could be added for the primary MX server to notify the backup MX servers of valid addresses; something similar to the way DNS (Domain Name Service) updates changes from master to slave servers. Such a scheme certainly won't scale, but for the number of users we have (across our system, and our backup MX servers) it's servicable, and it would prevent the backup MX servers from queueing up mail for non-existent users.
In fact, now that I'm thinking about it, I wonder if this is how people selling lists of email addresses can “claim” that all the addresses are deliverable? Of course they're deliverable, if you send the email to a backup MX server, of course it's deliverable (for most—I'm sure there are a few exceptions).
But this is something I need to look into …