Basically we got hardcore hammered by a spammer sending literally hundreds of e-mails a SECOND to the server to random addresses. This turned into a denial of service because ClamAV was scanning and rejecting the attachments on the 'catchall' account -- the one where rejected letters get stored.
First I banned the IP address region using iptables, then I set up the mail server to discard e-mail attachments on mails not sent to actual accounts on the server. Combined it has reduced the server load to.. uhm... a total joke.
top - 07:14:36 up 10 days, 9:29, 1 user, load average: 0.04, 0.08, 0.22
Tasks: 147 total, 1 running, 146 sleeping, 0 stopped, 0 zombie
Cpu(s): 3.3%us, 0.2%sy, 0.0%ni, 96.5%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 1995264k total, 1715444k used, 279820k free, 85604k buffers
Swap: 5847620k total, 105276k used, 5742344k free, 1072408k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
19628 www-data 20 0 359m 23m 9012 S 2 1.2 0:00.19 apache2
19637 www-data 20 0 358m 23m 9124 S 1 1.2 0:00.26 apache2
19654 www-data 20 0 356m 22m 8476 S 1 1.2 0:00.25 apache2
10313 mysql 20 0 459m 200m 7500 S 1 10.3 14:29.69 mysqld
1843 ntp 20 0 38332 696 568 S 0 0.0 0:56.88 ntpd
11245 root 20 0 19196 1420 980 R 0 0.1 2:58.93 top
1 root 20 0 8352 300 268 S 0 0.0 0:12.72 init
2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd
3 root RT 0 0 0 0 S 0 0.0 0:01.45 migration/0
4 root 20 0 0 0 0 S 0 0.0 0:05.39 ksoftirqd/0
5 root RT 0 0 0 0 S 0 0.0 0:00.02 watchdog/0
6 root RT 0 0 0 0 S 0 0.0 0:01.34 migration/1
7 root 20 0 0 0 0 S 0 0.0 0:02.63 ksoftirqd/1
8 root RT 0 0 0 0 S 0 0.0 0:00.02 watchdog/1
9 root 20 0 0 0 0 S 0 0.0 0:14.74 events/0
10 root 20 0 0 0 0 S 0 0.0 0:11.64 events/1
11 root 20 0 0 0 0 S 0 0.0 0:00.00 cpuset
MUCH better, and what it should be on a sunday morning with ~70 or so people online at once. (though I still laugh at how half that much traffic used to bury us when we were on a dual Xeon with twice the RAM)
We were looking at 100% IOWAIT during the attack with ClamAV scanning stuff and postfix trying to deal with the volume of input. For some reason I cannot fathom they just kept hammering us hard with inbound mails to made-up addresses. They were all bouncing into the black-hole "catchall" account, so I have no clue what they were trying to accomplish APART from shutting us down.
It was cute how many of the accounts it was trying to send to were ... infamous FORMER forum account names with @classicbattletech.com tacked onto the end... as in the Permabanned, no longer welcome or fled for not fitting in, and people who in the past have been problem cases in terms of hacking/circumventing or just being royal pains in my backside. It's also VERY suspect as... well, I can't say more until I glean more proof out of the server logs and consult with.. uhm... a certain organization. (here's a hint, some people call it the party van)
... and apparently they all need debt relief, problems with their paypal accounts that require sending your credit card number to a website that has nothing to do with paypal, and of course Viagra. Everybody needs Viagra... NOT.
For the past... six to eight months it's like we've had this giant bullseye painted on us -- I'm spending a good two hours a day now just trying to keep things afloat on the back-end... though it LOOKS like I might be able to take a day off now.
... and remember, if a SPAM attack lasts for more than 8 hours, consult a professional.