Here's a screenshot of a little python application that I wrote to manage some spammers on the system. I've 'sed'ed their domains to example.com, but it basically shows how many messages are currently queued on one of our outbound smtp servers.
Every shift, I run an application that monitors the queues, and when an individual account exceeds the maximum number of allowed egress messages, my application logs it, and removes it from the queue.
But, spammers are smart little buggers, so they of course create multiple accounts from which they spam a little bit from.
My software is smart enough that it keeps track of all found spammers from the past 30 days, and simplifies their email address, then compares that to all of the email addresses in the current out queue. If the simplified "known spammer" address matches any of the current addresses, then those current addresses are treated as a single address and their queues are aggregated. If the aggregate exceeds the threshold, then all messages are removed and the synonymous accounts are flagged as spammers for later termination.
Note: The addresses in the above screen cap are the ones that come out of the filter against the known/previous offenders. Only usernames that have been previously declared spammers are aggregated.
Oh, and here's a little graph showing the outbound message queue on a single server. The drop was when I started work that day.
Every shift, I run an application that monitors the queues, and when an individual account exceeds the maximum number of allowed egress messages, my application logs it, and removes it from the queue.
But, spammers are smart little buggers, so they of course create multiple accounts from which they spam a little bit from.
My software is smart enough that it keeps track of all found spammers from the past 30 days, and simplifies their email address, then compares that to all of the email addresses in the current out queue. If the simplified "known spammer" address matches any of the current addresses, then those current addresses are treated as a single address and their queues are aggregated. If the aggregate exceeds the threshold, then all messages are removed and the synonymous accounts are flagged as spammers for later termination.
Note: The addresses in the above screen cap are the ones that come out of the filter against the known/previous offenders. Only usernames that have been previously declared spammers are aggregated.
Oh, and here's a little graph showing the outbound message queue on a single server. The drop was when I started work that day.
