Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Spammer is spoofing a prior employees email for mass email campaignes and I receive 10000-50000 non delivery reports a day due to it

Posted on 2006-05-19
12
Medium Priority
?
288 Views
Last Modified: 2010-03-06
Is there anything I can do to stop the huge amout of traffic this has created on our server:

The problem is, some spammer spoofed a prior employee user on a mass email campaign.  These emails in most cases are sent back to us as non delivery reports or worse 'f*** you spammer' emails.    Our server has no current user in AD for this recipient anymore and responds back to them with a non delivery report which has since been suspended.  The traffic generated and bandwidth used is unpresidented.    Each day brings a different email spam campaign.  As a result, the volume on our server is to much causing email bouncebacks and 1-3 hour lag times and its getting worse.  Our clients and customers are also getting boucebacks when attempting to email us due to the volume.  
0
Comment
Question by:chitchcock
  • 6
  • 3
  • 3
12 Comments
 
LVL 10

Expert Comment

by:brakk0
ID: 16720713
One thing you can do is to set up an SPF record for you domain. Then anyone with a spam filter that checks SPF records will ignore the forged spam. See here for more info http://www.openspf.org/

You could also disable your own NDRs to help save your own bandwidth. You can enable recipient filtering so your server won't accept the NDRs to the non existant user.

The only other thing you can do is to try to track down the spammer and call a lawyer.
0
 

Author Comment

by:chitchcock
ID: 16720934
I did shut off NDR's through my GFI antispam directory harvesting filter.  Helps the bandwidth issue slightly.  This spammer happens to be in Hong Kong so I am not sure a lawyer would help with it.  I will check out openspf.org and get back to you
0
 

Author Comment

by:chitchcock
ID: 16721209
I didn't realize my GFI antispam has a SPF filter on it and its enabled already.  Can you think of any other suggestions?  I will probably contact my ISP and see if they can block this stuff prior to it hitting my domain.  
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 10

Assisted Solution

by:brakk0
brakk0 earned 800 total points
ID: 16721734
The way SPF filtering works is this.
You add entries to the DNS for your domain (whatever.com) that say what IP addresses are allowed to send email for your domain. You can also enable SPF filtering that will check the domain on emails you receive. If the domain doesn't have an SPF record, by default your mail server will accept the message. If they have an SPF record and the senders IP doesn't match, it rejects the mail. (and if they have an SPF record and it matches the mail is accepted).

There are two parts to it. You are using SPF filtering which checks other domains and helps block spam you receive. That is good, but will not help in this situation. You want to make sure you have the SPF records set up in DNS for your domain so that other sites that check will ignore email that is not from you.

0
 
LVL 104

Accepted Solution

by:
Sembee earned 1200 total points
ID: 16722472
Part of the problem is the account is not active. When the NDR messages come in, Exchange doesn't know what to do with them.

Try putting in to a blackhole...

Create a new distribution list on your server. Mail enabled it. Don't add any members.
Add the SMTP address to the list on the email addresses tab.
What this does is allow Exchange to accept email for that address, and then send them to the list. As the list has no members, the message is simply dropped.

You need to get NDRs turned back on as soon as possible. Disabling them just hides the problem and could cause legitimate NDRs not to be sent.

Otherwise your options are rather limited. This is one of the things that SPF is supposed to deal with, but SPF isn't being used widely enough to use as a filter.

Simon.
0
 

Author Comment

by:chitchcock
ID: 16741648
Thanks guys for your help.  I like the blackhole method as it seems to be exactly what I need in this case.  CHUCK
0
 

Author Comment

by:chitchcock
ID: 16741667
Because I use SPF and have been enlightened, I will split the points with Sembee winning the question
0
 
LVL 10

Expert Comment

by:brakk0
ID: 16743478
Wouldn't recipient filtering be better than the blackhole method you suggest? With recipient filtering, it cuts off the message as soon as the sender states who it's to and doesn't wait for the whole message. With the blackhole method, it accepts the entire message then just deletes it. That wouldn't help much with bandwidth since you are still receiving the same number of messages.

Both methods, however, would help by eliminating the extra outgoing NDRs.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16746805
Recipient filtering will not help as the Exchange server has to accept the NDR message. Recipient filtering is only practical on Exchange 2003/Windows 2003.

Blocking or disabling NDR messages should be avoided where possible as it just masks the problem. Legitimate NDR messages get caught up in those tactics.

I don't want to be the person who tells the sales manager that a large order was lost, because the sender got a single character wrong in the email address, and didn't know. They get an NDR message, they realise their mistake and send again, or call in.

Simon.
0
 

Author Comment

by:chitchcock
ID: 16750305
Technically, I need to block the emails before they get to me as they are causing Denial of Service.  Researching yesterday, I found a third party company MX Logic that will allow me to filter the information and set rules prior to it even getting here.  I had to point my DNS MX record to them, they provide the proxy and redirect to me based on my rules through a web interface.  This is really the best solution as for me as it stops the mass volume of traffic that is generated both ways.  Thanks guys for your help.  CHUCK
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16755769
An outsourced solution is usually the best way of dealing with a significant problem. Postini and Message Labs are two other companies that offer the service. It will take 48 hours before it takes effect, so you will have to struggle on a bit longer.

Simon.
0
 

Author Comment

by:chitchcock
ID: 16755849
Thanks Simon for the help now and in the past.  CHUCK
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to effectively resolve the number one email related issue received by helpdesks.
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question