Solved

Spam is out of control

Posted on 2009-06-30
9
1,328 Views
Last Modified: 2013-12-09
Hello all,

I am having a serious issue. Our company has been bombarded by spam the last two weeks. Our return address is being spoofed and sending back tons of "Delivery Failure" notifications. Along with this, we are recieving an influx of other spam (like the outlook express update email) across all domains. Here is a copy of some of the headers

Return-Path: <exylvn75@touchstarsolutions.com>
Received: (qmail 29800 invoked by uid 64021); 24 Jun 2009 13:43:16 -0000
Received: from 189.24.121.181 by mx1.swiftel.com.au (envelope-from <exylvn75@touchstarsolutions.com>, uid 64011) with qmail-scanner-1.24
(
Clear:RC:0(189.24.121.181):.
Processed in 1.183734 secs); 24 Jun 2009 13:43:16 -0000
Received: from unknown (HELO 18924121181.user.veloxzone.com.br) (189.24.121.181)
  by mx1.swiftel.com.au with SMTP; 24 Jun 2009 13:43:15 -0000
Date: Wed, 24 Jun 2009 10:42:48 -0300
Message-Id: <4748NE34763.L00B4ABRR2451@189.24.121.181.touchstarsolutions.com>
From: coles@wahlstrom.com.au
To: coles@wahlstrom.com.au
Subject: Want a BetterSex Life use AcaiBerry
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0

I have tried to implement Sender Policy Framework with our DNS host, but I'm not thinking it's working since the same emails are still getting through.

We are using a WatchGuard Firewall X700 and Mail Marshal as our spam filter.

Does anyone have any suggestions on ways to filter out more of this erroneous spam? Is anyone else experiencing large amounts of this spam as well?
0
Comment
Question by:BigRed0283
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 10

Expert Comment

by:Kieran_Burns
ID: 24745463
i would recommend you use someone like these guys: http://www.spamhaus.org/
and subscribe to their XBL real time blacklist http://www.spamhaus.org/xbl/index.lasso
We've used and it cut the amount of spam being handled by the mail filter system by a huge margin. the use IS free for a limited number of lookups
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24745504
If you are getting the bounce backs, then SPF isn't going to work for you either.
The real problem is the clueless network admins who are sending spam back to the sender, or accepting email for non-existent users and then attempting to reject it.

With regards to the spoofing of the email NDRs, there is little that you can do. You must accept the NDR otherwise you will get blacklisted yourself. Using a blacklist isn't going to help because it is an NDR.

If your current antispam solution isn't working and dealing with the spoofing then you need to look at another one. There is no magic solution to dealing with spam, what works for one may not work for another. Everyone gets large amounts of spam, it is how they deal with it that is the key.

Simon.
0
 
LVL 2

Author Comment

by:BigRed0283
ID: 24746099
I'm open to any suggestions. There's only so much I can do internally on my side to stem this problem. We are getting so much spam that it's shutting down our Mail Marshal server and clogging our firewall. Should I be pushing our MX records holder to see if they can do anything about this? I'm just at a loss for further steps I should be taking.

@Kieran - Our Mail Marshal server uses spamhaus and symantec for its blacklists.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24746898
MX records are just a DNS setting. Nothing else can be done by them.
If your antispam solution can't cope then perhaps you will need to look at outsourcing it.
Is your Mail Marshal system able to do recipient filtering? If so, enable that, as a lot of spam is to non valid users.

Simon.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Expert Comment

by:Nemskinator
ID: 24759674
You should get a spam firewall appliance. I was able to use a barracuda spam firewall to block my own domain name from external incoming messages.
That way no one can send me e-mail from y own e-mail address.
Since the firewall only scans external incoming e-mail messages my internal users were not affected.
My domain starts with the letter A, i am usually one of the first to get hit. I've blocked reverse dns attacks, spoofs, messages sent from my domain to invalid domains and getting hit with undeliverables. For $1300 to cover 1000 mailboxes you have a solution.... look at Mail Foundry or Barracuda Network
Software solutions DO NOT work
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24762585
"Software solutions DO NOT work"

What do you think an appliance is then?
It is just another piece of software installed on some custom hardware. The vendor may well have locked down the host OS, but that is about all.

Simon.
0
 
LVL 2

Author Comment

by:BigRed0283
ID: 24763963
We use Mail Marshal as our spam filter, and for years it has done a pretty good job. Only recently (like the last two weeks) have we had any issues. I've turned off NDR on the exchange server, which helped quite a bit, but I'm still recieving all the NDR's from the other domains. I'm working with our DNS host to see if there is anything they can do to filter out some of these erroneous emails.

Just a note, the reason SpamHaus and SpamCop lists won't help in this matter is because the mass of NDR's we are recieving are from valid domains. I need to find a way to block the bogus senders. I think if I find out how to do that, I will make millions.
0
 

Expert Comment

by:Nemskinator
ID: 24764068
By software solutions i mean bs applications like symantec or cloudmark you add to your exchange server or microsoft os.
Unless a dedicated machine/hardware just for spam, it just doesn't stop sh*t
what do you use Mr. 30,575?
0
 
LVL 65

Accepted Solution

by:
Mestha earned 500 total points
ID: 24765548
"the mass of NDR's we are receiving are from valid domains"

This is the real problem - and it is mostly out of your control. The main problem is those who do not setup their antispam software correctly and accept the email then NDR it. I believe at least one of the appliances has this as their default configuration which is quite simply ridiculous and would make me doubt the rest of the product. At the very least every appliance and antispam application should do recipient validation as a minimum.

Not really a lot you can do about it as you have to accept the NDRs for your domain.

As for what I use - Vamsoft ORF is the primary tool, using greylisting. That knocks out about 80% of the spam, with IMF in either Exchange 2003 or Exchange 2007 soaking up the rest. I have that combination in place at a number of sites, including my home system and it works very well. No blacklists involved.

Alas they will not help with this solution because the NDRs are valid. There is no way that they can be blocked without putting the server doing the blocking at risk of blacklisting.

Simon.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Forget those services on TV trying to sell you software – that’s step one.  Almost all of the software you need should be available for free.  The tricky part is doing the work.  If you are not comfortable performing these steps yourself, contact a …
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now