Re: OT: Email Spam a bit of Hell
This WebDNA talk-list message is from 2004
It keeps the original formatting.
numero = 57872
interpreted = N
texte = I dealt with this issue last year. A spammer was using random account names@ my client's domain name like: dsicheb@domain.com. We were getting a ton ofbounce backs to the client domain that were slowing the EIMS server quite abit. We simply disabled the domain for a couple of days to weather thestorm.On 5/17/04 8:06 AM, "Alex McCombie"
wrote:> I figured if nothing else you guys might relate to this. At best you might> have some ideas that I havent tried.> > This weekend I noticed some unusual activity on the server. Essentially my> EIMS server (email) was going crazy. Now I take great care in keeping all> open relays locked down so even though at first it looked like a relay> attack it turned out to be something completely different.> > SMTP connections from email servers all over the world were constantly> slamming the machine. At first I started looking at the Ips but they offered> no common pattern. Since I keep the number of smtp connection limited, the> mail server was becoming essentially useless since the SMTP connection limit> was constantly maxed.> > Sooooo, doing some check to see what the hell was going on I checked the> error logs discovered that each smtp connection was trying to send email to> a not existing account at one of my domains (one of my primary domains to> make matters worse). They would get an smtp connection and then sit there> until the server returned a 550 error (not valid address), only to be> instantly replaced by the next random SMTP.> > So in an effort to see WTF, I enabled the mail account and forwarded it to> me briefly. Immediately my account was flooded with "FAILED to DELIVER"> messages for some spam message. Some of the better returns showed> originating IP's overseas. But remember, these message had nothing to do> with us or our server but rather simply had a wrong reply to address (a> invalid account on my primary domain).> > Shoot me.> > I tried opening the account up thinking I would just field the bounce> backs... But after thousands it was clear this was not your average spam> mailing and I might be dealing with hundreds of thousands or more! And of> course the whole time these bounce back are maxing out the servers ability> to receive email.> > So what's a poor bastard to do?> > Basically the only thing I could come up with was to first reprogram any of> the forms across various sites that used the domain name for form mail. That> cleaned up all but one email account (the one on all our letterhead and> business cards :-( and then change the NDS records to point the MX record to> another machine. Currently that machine does NOT have an email server on it> so the connections arent going anywhere. Not sure I should even bother to> try and set it up...> > > Sometime around 3 am or so I started seeing the first noticeable difference> in email responsiveness as the dns pointed the thousands of mail servers off> to a uncaring IP.> > Just hell. Its amazing how someone else's BS action can all but crush a> network.> > > Anyway, I guess this isnt a cry for help as much as it is one for pity ..lol> If anyone has another idea I would love to hear it because I racked my brain> trying to dig out from under this. I figure I will let the DNS sit for 2-3> days before I hold my breath and point it back.> > > My Monday started last night at 6pm...> > I am tired ;-)> !!!!> Alex-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/
Associated Messages, from the most recent to the oldest:
I dealt with this issue last year. A spammer was using random account names@ my client's domain name like: dsicheb@domain.com. We were getting a ton ofbounce backs to the client domain that were slowing the EIMS server quite abit. We simply disabled the domain for a couple of days to weather thestorm.On 5/17/04 8:06 AM, "Alex McCombie" wrote:> I figured if nothing else you guys might relate to this. At best you might> have some ideas that I havent tried.> > This weekend I noticed some unusual activity on the server. Essentially my> EIMS server (email) was going crazy. Now I take great care in keeping all> open relays locked down so even though at first it looked like a relay> attack it turned out to be something completely different.> > SMTP connections from email servers all over the world were constantly> slamming the machine. At first I started looking at the Ips but they offered> no common pattern. Since I keep the number of smtp connection limited, the> mail server was becoming essentially useless since the SMTP connection limit> was constantly maxed.> > Sooooo, doing some check to see what the hell was going on I checked the> error logs discovered that each smtp connection was trying to send email to> a not existing account at one of my domains (one of my primary domains to> make matters worse). They would get an smtp connection and then sit there> until the server returned a 550 error (not valid address), only to be> instantly replaced by the next random SMTP.> > So in an effort to see WTF, I enabled the mail account and forwarded it to> me briefly. Immediately my account was flooded with "FAILED to DELIVER"> messages for some spam message. Some of the better returns showed> originating IP's overseas. But remember, these message had nothing to do> with us or our server but rather simply had a wrong reply to address (a> invalid account on my primary domain).> > Shoot me.> > I tried opening the account up thinking I would just field the bounce> backs... But after thousands it was clear this was not your average spam> mailing and I might be dealing with hundreds of thousands or more! And of> course the whole time these bounce back are maxing out the servers ability> to receive email.> > So what's a poor bastard to do?> > Basically the only thing I could come up with was to first reprogram any of> the forms across various sites that used the domain name for form mail. That> cleaned up all but one email account (the one on all our letterhead and> business cards :-( and then change the NDS records to point the MX record to> another machine. Currently that machine does NOT have an email server on it> so the connections arent going anywhere. Not sure I should even bother to> try and set it up...> > > Sometime around 3 am or so I started seeing the first noticeable difference> in email responsiveness as the dns pointed the thousands of mail servers off> to a uncaring IP.> > Just hell. Its amazing how someone else's BS action can all but crush a> network.> > > Anyway, I guess this isnt a cry for help as much as it is one for pity ..lol> If anyone has another idea I would love to hear it because I racked my brain> trying to dig out from under this. I figure I will let the DNS sit for 2-3> days before I hold my breath and point it back.> > > My Monday started last night at 6pm...> > I am tired ;-)> !!!!> Alex-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/
Clint Davis
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
fieldType=num (1997)
Major Security Hole IIS NT (1998)
Wanted: Broader string manipulation functions (1997)
WebCat2b13MacPlugIn - More limits on [include] (1997)
WriteFile and returns... (2000)
PIXO support (1997)
Merging databases (1997)
Is [thisurl] http or https? (1998)
Download (1999)
bad idea to not use any html files, only .tpl files? (1999)
WebCatalog can't find database (1997)
Simple Database close connection (2001)
I read the manual (2000)
Banners (1997)
Moving Files (2000)
RE: UN-WANTED character conversion (1999)
all records returned. (1997)
emailer (1997)
Another IfThenElse question.. (2003)
referrer usage (1997)