Spam flood
September 27, 2007 2:31 pm GeneralIt started about an hour ago, and I have now deleted 1500 bounce notifications which I’m receiving because some spammer is spoofing email addresses in a domain I own.
They’re coming in at a steady flow of about 50 a minute, and I’d really really like to make it stop. Anyone give me any hints? If I delete the MX record for the domain (there are no emails going there), will that do?
September 27th, 2007 at 2:52 pm
Deleting your MX record will take too long to have any noticeable results (see DNS refresh time).
On your mail server, you could just stop accepting email for that domain, or silently drop them.
September 27th, 2007 at 3:25 pm
Adding an SPF record to your DNS might help a bit, but most likely, the damage has been done, so all you have to deal with are the remaining bouncebacks from here on. Generally, the first day is by far the worst, second day is nasty, but after that you’ll only have to put up with the stragglers.
As long as you’re not on 56k, Just set up some email filters and wait it out… it’s happened to me a few times this year on a few different domains. I don’t think any of the domains were added to any blacklists or anything as a result, so after a few days when the bouncebacks were all done then it was OK.
September 27th, 2007 at 3:25 pm
AFAIK even deleting the MX entry you’d still have to wait for DNS to propagate. If I understood the situation clearly, the spammer is using your domain to send e-mail to that same domain?
Well why not put authenticated-SMTP? This way you would relay only authenticated smtp connections and not just the ones from your domain.
Cheers,
PP
September 27th, 2007 at 3:26 pm
Don’t accept mail for postmaster for a day?
September 27th, 2007 at 3:26 pm
But yeah, I think you can just delete the MX record and the mails will bounce again. 🙂
September 27th, 2007 at 3:27 pm
I don’t think that would help – don’t mailers use the A record if there is no MX record?
September 27th, 2007 at 3:27 pm
Set up SPF on the domain to say that it doesn’t send mail (or add a trusted SMTP server). Might reduce some of the volume at least.
September 27th, 2007 at 3:28 pm
Missing MX record = MX IP same as @ in DNS zone – won’t be that helpful 😉
September 27th, 2007 at 3:46 pm
Things like deleting DNS records, blocking bounce notifications, bla bla bla.. won’t stop the SPAM.
SMTP Relay and SMTP-Auth are the hint words in this case 🙂
September 27th, 2007 at 4:04 pm
Set the MX record to 127.0.0.something. Or a private address (192.168.*.* or somesuch).
In the meantime, can your MTA just reject based on recipient address in the envelope address?
September 27th, 2007 at 4:34 pm
I have a similar problem from time to time. I am looking at using Sender Policy Framework but haven’t got very far with it yet.
September 27th, 2007 at 5:08 pm
Yeah, often mailsoftware falls back to the A record if no MX can be found. Just set it to 127.0.0.1, or don’t accept mail for that domain.
September 27th, 2007 at 6:25 pm
Something like this?
http://ietfreport.isoc.org/idref/draft-delany-nullmx/
September 27th, 2007 at 8:17 pm
Are the emails all going to the same address or to multiple addresses at your domain? Would turning off the “catch all” facility help (so that you only get emails for real accounts rather than anything@yourdomain)?
September 27th, 2007 at 8:56 pm
Maybe add an SPF record? The emails will stop bouncing by mail servers that support it, since they’ll know the originating domain didn’t send the email in the first place.
September 27th, 2007 at 9:45 pm
Same thing happened to me today at around the same time after being spam free for 4 years 😐
I’ve told my exim mail server to discard (silently drop) any emails that get over 15 points in spam assassin and that seems to be working nicely.
You might have to collect a few and then feed them to spamassassin with the –spam switch so it knows they are spam.
September 28th, 2007 at 7:54 am
Just drop the domain in your mailer’s list of local domains. That will get them a relaying denied double bounce, but hey. (DNS takes to long to flush caches.)
September 28th, 2007 at 8:39 am
I’ve had the same problem…
Removing the MX won’t help because lots of mailservers have it cached anyway and it’ll take a while for the changes to propagate.
I just removed the catch-all email address from that particular for a while. That’s the easiest solution.
If you still like to receive mail on some addresses that are currently spammed with mail delivery errors, you should block mail from mailer-daemon@ addresses. If you use postfix you could do something like this.
Put in your main.cf the following line:
smtpd_sender_restrictions = regexp:/etc/postfix/sender_restrictions
And put in /etc/postfix/sender_restrictions:
!/mailer-daemon@/ OK
(haven’t tested this, but should work)
Training the bayesian filter of spamassassin with legitimate mail (mail delivery errors are legitimate) won’t do you any good. So I strongly recommend against that.