Did you check the source IP in the headers? My logs show that they are coming from a buncha residential IP addresses so its prolly a bot network doing it. Most of the messages going through our servers with that have the domain lifeleaksfromyo.com in it which is causing the messages to fail in our servers. You can always try the rbl that lists a lot of residential IP's in it...i think it's the PBL from spamhaus. That would help limit it, and blocking emails with the domain lifeleaksfromyo.com.... Other then that I'm out of ideas. What spam appliance are you using? Raymond Corbin HostMySite.com 877.215.4678 -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Martin Hannigan Sent: Thursday, September 27, 2007 7:32 PM To: nanog@merit.edu Subject: DDoS Question Folks, I'm receiving about 25K spams per minute with this subject: Subject: "Looking for Sex Tonight? Curtis Blackman" They randomize the name on the subject line. Is this any particular virus/malware/zombie signature and any suggestion on how to defend against it besides what I'm already doing (which is all of the obvious, rbls, spam appliances, hot cocoa, etc.)? This happened right around the time I started securing the name server infrastructure with BIND upgrades and recursor/authoritative NS splitting. :-) Best, Marty