Spam flood

2:31 pm General

It started about an hour ago, and I have now deleted 1500 bounce notifications which I’m receiving because some spammer is spoofing email addresses in a domain I own.

They’re coming in at a steady flow of about 50 a minute, and I’d really really like to make it stop. Anyone give me any hints? If I delete the MX record for the domain (there are no emails going there), will that do?

18 Responses

  1. R Says:

    Deleting your MX record will take too long to have any noticeable results (see DNS refresh time).

    On your mail server, you could just stop accepting email for that domain, or silently drop them.

  2. James Says:

    Adding an SPF record to your DNS might help a bit, but most likely, the damage has been done, so all you have to deal with are the remaining bouncebacks from here on. Generally, the first day is by far the worst, second day is nasty, but after that you’ll only have to put up with the stragglers.

    As long as you’re not on 56k, Just set up some email filters and wait it out… it’s happened to me a few times this year on a few different domains. I don’t think any of the domains were added to any blacklists or anything as a result, so after a few days when the bouncebacks were all done then it was OK.

  3. Paulo Pires Says:

    AFAIK even deleting the MX entry you’d still have to wait for DNS to propagate. If I understood the situation clearly, the spammer is using your domain to send e-mail to that same domain?

    Well why not put authenticated-SMTP? This way you would relay only authenticated smtp connections and not just the ones from your domain.

    Cheers,
    PP

  4. Ross Burton Says:

    Don’t accept mail for postmaster for a day?

  5. Ross Burton Says:

    But yeah, I think you can just delete the MX record and the mails will bounce again. 🙂

  6. Ryan Says:

    I don’t think that would help – don’t mailers use the A record if there is no MX record?

  7. n/a Says:

    Set up SPF on the domain to say that it doesn’t send mail (or add a trusted SMTP server). Might reduce some of the volume at least.

  8. Patrys Says:

    Missing MX record = MX IP same as @ in DNS zone – won’t be that helpful 😉

  9. Paulo Pires Says:

    Things like deleting DNS records, blocking bounce notifications, bla bla bla.. won’t stop the SPAM.

    SMTP Relay and SMTP-Auth are the hint words in this case 🙂

  10. niq Says:

    Set the MX record to 127.0.0.something. Or a private address (192.168.*.* or somesuch).

    In the meantime, can your MTA just reject based on recipient address in the envelope address?

  11. Marcus Says:

    I have a similar problem from time to time. I am looking at using Sender Policy Framework but haven’t got very far with it yet.

  12. ovitters Says:

    Yeah, often mailsoftware falls back to the A record if no MX can be found. Just set it to 127.0.0.1, or don’t accept mail for that domain.

  13. Florian Steinel Says:

    Something like this?
    http://ietfreport.isoc.org/idref/draft-delany-nullmx/

  14. Dave Says:

    Are the emails all going to the same address or to multiple addresses at your domain? Would turning off the “catch all” facility help (so that you only get emails for real accounts rather than anything@yourdomain)?

  15. Justin Haygood Says:

    Maybe add an SPF record? The emails will stop bouncing by mail servers that support it, since they’ll know the originating domain didn’t send the email in the first place.

  16. Nermal Says:

    Same thing happened to me today at around the same time after being spam free for 4 years 😐

    I’ve told my exim mail server to discard (silently drop) any emails that get over 15 points in spam assassin and that seems to be working nicely.

    You might have to collect a few and then feed them to spamassassin with the –spam switch so it knows they are spam.

  17. Thomas Says:

    Just drop the domain in your mailer’s list of local domains. That will get them a relaying denied double bounce, but hey. (DNS takes to long to flush caches.)

  18. Dennis Krul Says:

    I’ve had the same problem…

    Removing the MX won’t help because lots of mailservers have it cached anyway and it’ll take a while for the changes to propagate.

    I just removed the catch-all email address from that particular for a while. That’s the easiest solution.

    If you still like to receive mail on some addresses that are currently spammed with mail delivery errors, you should block mail from mailer-daemon@ addresses. If you use postfix you could do something like this.

    Put in your main.cf the following line:
    smtpd_sender_restrictions = regexp:/etc/postfix/sender_restrictions

    And put in /etc/postfix/sender_restrictions:
    !/mailer-daemon@/ OK

    (haven’t tested this, but should work)

    Training the bayesian filter of spamassassin with legitimate mail (mail delivery errors are legitimate) won’t do you any good. So I strongly recommend against that.

Leave a Comment

Your comment

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.