Re: OT: Email Spam a bit of Hell

This WebDNA talk-list message is from

2004

It keeps the original formatting. numero = 57872
interpreted = N
texte = I dealt with this issue last year. A spammer was using random account names@ my client's domain name like: dsicheb@domain.com. We were getting a ton ofbounce backs to the client domain that were slowing the EIMS server quite abit. We simply disabled the domain for a couple of days to weather thestorm.On 5/17/04 8:06 AM, "Alex McCombie" wrote:> I figured if nothing else you guys might relate to this. At best you might> have some ideas that I havent tried.> > This weekend I noticed some unusual activity on the server. Essentially my> EIMS server (email) was going crazy. Now I take great care in keeping all> open relays locked down so even though at first it looked like a relay> attack it turned out to be something completely different.> > SMTP connections from email servers all over the world were constantly> slamming the machine. At first I started looking at the Ips but they offered> no common pattern. Since I keep the number of smtp connection limited, the> mail server was becoming essentially useless since the SMTP connection limit> was constantly maxed.> > Sooooo, doing some check to see what the hell was going on I checked the> error logs discovered that each smtp connection was trying to send email to> a not existing account at one of my domains (one of my primary domains to> make matters worse). They would get an smtp connection and then sit there> until the server returned a 550 error (not valid address), only to be> instantly replaced by the next random SMTP.> > So in an effort to see WTF, I enabled the mail account and forwarded it to> me briefly. Immediately my account was flooded with "FAILED to DELIVER"> messages for some spam message. Some of the better returns showed> originating IP's overseas. But remember, these message had nothing to do> with us or our server but rather simply had a wrong reply to address (a> invalid account on my primary domain).> > Shoot me.> > I tried opening the account up thinking I would just field the bounce> backs... But after thousands it was clear this was not your average spam> mailing and I might be dealing with hundreds of thousands or more! And of> course the whole time these bounce back are maxing out the servers ability> to receive email.> > So what's a poor bastard to do?> > Basically the only thing I could come up with was to first reprogram any of> the forms across various sites that used the domain name for form mail. That> cleaned up all but one email account (the one on all our letterhead and> business cards :-( and then change the NDS records to point the MX record to> another machine. Currently that machine does NOT have an email server on it> so the connections arent going anywhere. Not sure I should even bother to> try and set it up...> > > Sometime around 3 am or so I started seeing the first noticeable difference> in email responsiveness as the dns pointed the thousands of mail servers off> to a uncaring IP.> > Just hell. Its amazing how someone else's BS action can all but crush a> network.> > > Anyway, I guess this isnt a cry for help as much as it is one for pity ..lol> If anyone has another idea I would love to hear it because I racked my brain> trying to dig out from under this. I figure I will let the DNS sit for 2-3> days before I hold my breath and point it back.> > > My Monday started last night at 6pm...> > I am tired ;-)> !!!!> Alex-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

Re: OT: Email Spam a bit of Hell ( Clint Davis 2004)
OT: Email Spam a bit of Hell ( Alex McCombie 2004)

I dealt with this issue last year. A spammer was using random account names@ my client's domain name like: dsicheb@domain.com. We were getting a ton ofbounce backs to the client domain that were slowing the EIMS server quite abit. We simply disabled the domain for a couple of days to weather thestorm.On 5/17/04 8:06 AM, "Alex McCombie" wrote:> I figured if nothing else you guys might relate to this. At best you might> have some ideas that I havent tried.> > This weekend I noticed some unusual activity on the server. Essentially my> EIMS server (email) was going crazy. Now I take great care in keeping all> open relays locked down so even though at first it looked like a relay> attack it turned out to be something completely different.> > SMTP connections from email servers all over the world were constantly> slamming the machine. At first I started looking at the Ips but they offered> no common pattern. Since I keep the number of smtp connection limited, the> mail server was becoming essentially useless since the SMTP connection limit> was constantly maxed.> > Sooooo, doing some check to see what the hell was going on I checked the> error logs discovered that each smtp connection was trying to send email to> a not existing account at one of my domains (one of my primary domains to> make matters worse). They would get an smtp connection and then sit there> until the server returned a 550 error (not valid address), only to be> instantly replaced by the next random SMTP.> > So in an effort to see WTF, I enabled the mail account and forwarded it to> me briefly. Immediately my account was flooded with "FAILED to DELIVER"> messages for some spam message. Some of the better returns showed> originating IP's overseas. But remember, these message had nothing to do> with us or our server but rather simply had a wrong reply to address (a> invalid account on my primary domain).> > Shoot me.> > I tried opening the account up thinking I would just field the bounce> backs... But after thousands it was clear this was not your average spam> mailing and I might be dealing with hundreds of thousands or more! And of> course the whole time these bounce back are maxing out the servers ability> to receive email.> > So what's a poor bastard to do?> > Basically the only thing I could come up with was to first reprogram any of> the forms across various sites that used the domain name for form mail. That> cleaned up all but one email account (the one on all our letterhead and> business cards :-( and then change the NDS records to point the MX record to> another machine. Currently that machine does NOT have an email server on it> so the connections arent going anywhere. Not sure I should even bother to> try and set it up...> > > Sometime around 3 am or so I started seeing the first noticeable difference> in email responsiveness as the dns pointed the thousands of mail servers off> to a uncaring IP.> > Just hell. Its amazing how someone else's BS action can all but crush a> network.> > > Anyway, I guess this isnt a cry for help as much as it is one for pity ..lol> If anyone has another idea I would love to hear it because I racked my brain> trying to dig out from under this. I figure I will let the DNS sit for 2-3> days before I hold my breath and point it back.> > > My Monday started last night at 6pm...> > I am tired ;-)> !!!!> Alex-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Clint Davis

DOWNLOAD WEBDNA NOW!

Re: OT: Email Spam a bit of Hell

2004

Top Articles:

Related Readings: