attack and same mails downloaded many times

[leonardo99]

in the last days our customers have a great problem; many times (not each time) they do the download of the mails, they're downloaded twice or even more;
when I look at the logs in order to find the problem, I see there is probably an attack (I suppose DOS) to one of the domains; there are arriving a lot of mails to user which are not present on that domain;
in most cases it is a real user name, but added with random-chars at the end; due to this attack I think that the CPU is overloaded and AMS is not able to work the usual way;
what should we do to solve this problem?

Tue, 13 Oct 2009 08:56:15 -> 83.208.247.210 -> Failed: Action=[Received Recipient], Details=[angqynw@domain.it: Relaying not permitted.]
Tue, 13 Oct 2009 08:56:15 -> 112.145.205.127 -> Failed: Action=[Received Recipient], Details=[oswald.langbojw@domain.it: Relaying not permitted.]
Tue, 13 Oct 2009 08:56:15 -> 113.199.176.0 -> Failed: Action=[Received Recipient], Details=[oswald.langqwfh@domain.it: Relaying not permitted.]
Tue, 13 Oct 2009 08:56:15 -> 190.173.223.232 -> Failed: Action=[Received Recipient], Details=[oswald.langpswh@domain.it: Relaying not permitted.]
Tue, 13 Oct 2009 08:56:15 -> 112.145.205.127 -> Failed: Action=[Received Recipient], Details=[oswald.langbpbc@domain.it: Relaying not permitted.]
Tue, 13 Oct 2009 08:56:15 -> 210.222.25.183 -> Failed: Action=[Received Recipient], Details=[oswald.langorvq@domain.it: Relaying not permitted.]
Tue, 13 Oct 2009 08:56:15 -> 210.222.25.183 -> Failed: Action=[Received Recipient], Details=[oswald.langorrm@domain.it: Relaying not permitted.]
Tue, 13 Oct 2009 08:56:15 -> 190.173.223.232 -> Failed: Action=[Received Recipient], Details=[oswald.langptmz@domain.it: Relaying not permitted.]
Tue, 13 Oct 2009 08:56:15 -> 190.173.223.232 -> Failed: Action=[Received Recipient], Details=[oswald.langpthl@domain.it: Relaying not permitted.]
Tue, 13 Oct 2009 08:56:15 -> 113.199.176.0 -> Failed: Action=[Received Recipient], Details=[oswald.langqwgq@domain.it: Relaying not permitted.]
Tue, 13 Oct 2009 08:56:15 -> 58.64.56.133 -> Failed: Action=[Received Recipient], Details=[oswald.langqkdw@domain.it: Relaying not permitted.]
Tue, 13 Oct 2009 08:56:15 -> 58.64.56.133 -> Failed: Action=[Received Recipient], Details=[oswald.langqjzx@domain.it: Relaying not permitted.]
Tue, 13 Oct 2009 08:56:15 -> 212.104.124.189 -> Failed: Action=[Received Recipient], Details=[oswald.langxaqg@domain.it: Relaying not permitted.]
Tue, 13 Oct 2009 08:56:15 -> 212.104.124.189 -> Failed: Action=[Received Recipient], Details=[oswald.langxbba@domain.it: Relaying not permitted.]
Tue, 13 Oct 2009 08:56:15 -> 212.104.124.189 -> Failed: Action=[Received Recipient], Details=[oswald.langxajw@domain.it: Relaying not permitted.]
Tue, 13 Oct 2009 08:56:15 -> 212.104.124.189 -> Failed: Action=[Received Recipient], Details=[oswald.langxawe@domain.it: Relaying not permitted.]
Tue, 13 Oct 2009 08:56:15 -> 113.199.176.0 -> Failed: Action=[Received Recipient], Details=[oswald.langqwkq@domain.it: Relaying not permitted.]

[rob]

You CPU chart shows that the mail server is busy but not maxed out, there for there is plenty of processing power left. Of course the mail server is busy though and so there is expected to be delays on some connecitons. However, receiving of multiple emails due to this is unlikely due to the mail server works (under load things just take longer, but dont misbehave). What you can you do to avoid this type of attack, the first thing is to enable some of the SPAM features, but more espcially tarpitting. Basically these alphabet type attacks will be quickly reflected by tar pitting as the failed recipient attempts will temporarily block those IP's.

[leonardo99]

ok thanks, I will try it!