The most recent CERT Advisory, dated Tue, 23 Jul 1996 14:23:50 -0400,
contains information on email spamming and email bombing. The ftp
address for the documents is:
ftp://info.cert.org/pub/tech_tips/email_bombing_spamming
ftp://info.cert.org/pub/tech_tips/email_spoofing
Of interest, from the first document:
3.3.1. Develop in-house tools to help you recognize and respond to the
email bombing/spamming and so minimize the impact of such
activity. The tools should increase the logging capabilities
and check for and alert you to incoming/outgoing messages that
originate from the same user or same site in a very short span
of time. Once you identify the activity, you can use other
in-house tools to discard the messages from the offending
users or sites.
Sounds like a reasonable application for procmail ...
John
BTW, further interesting sections:
3.2.1. Identify the source of the email bomb/spam and configure your
router (or have your Network Service Provider configure the
router) to prevent incoming packets from that address.
Review email headers to determine the true origin of the email.
Review the information related to the email bomb/spam following
relevant policies and procedures of your organization.
3.2.2 Follow up with the site(s) you identified in your review to
alert them to the activity. Contact them to alert them to the
activity.
NOTE: When contacting these sites, keep in mind that the abuser
may be trying to hide their identity.
We would appreciate a cc to "cert(_at_)cert(_dot_)org" on your
messages;
this facilitates our work on incidents and helps us relate
ongoing intruder activities.
And:
4.1. ...
U.S. sites interested in an investigation of this activity can
contact the FBI:
FBI National Computer Crimes Squad
Washington, DC
+1 202 324-9164
--
John Conover, 631 Lamont Ct., Campbell, CA., 95008, USA.
VOX 408.370.2688, FAX 408.379.9602
john(_at_)johncon(_dot_)com