Spam is out of control

Hello all,

I am having a serious issue. Our company has been bombarded by spam the last two weeks. Our return address is being spoofed and sending back tons of "Delivery Failure" notifications. Along with this, we are recieving an influx of other spam (like the outlook express update email) across all domains. Here is a copy of some of the headers

Return-Path: <>
Received: (qmail 29800 invoked by uid 64021); 24 Jun 2009 13:43:16 -0000
Received: from by (envelope-from <>, uid 64011) with qmail-scanner-1.24
Processed in 1.183734 secs); 24 Jun 2009 13:43:16 -0000
Received: from unknown (HELO (
  by with SMTP; 24 Jun 2009 13:43:15 -0000
Date: Wed, 24 Jun 2009 10:42:48 -0300
Message-Id: <>
Subject: Want a BetterSex Life use AcaiBerry
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0

I have tried to implement Sender Policy Framework with our DNS host, but I'm not thinking it's working since the same emails are still getting through.

We are using a WatchGuard Firewall X700 and Mail Marshal as our spam filter.

Does anyone have any suggestions on ways to filter out more of this erroneous spam? Is anyone else experiencing large amounts of this spam as well?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

i would recommend you use someone like these guys:
and subscribe to their XBL real time blacklist
We've used and it cut the amount of spam being handled by the mail filter system by a huge margin. the use IS free for a limited number of lookups
If you are getting the bounce backs, then SPF isn't going to work for you either.
The real problem is the clueless network admins who are sending spam back to the sender, or accepting email for non-existent users and then attempting to reject it.

With regards to the spoofing of the email NDRs, there is little that you can do. You must accept the NDR otherwise you will get blacklisted yourself. Using a blacklist isn't going to help because it is an NDR.

If your current antispam solution isn't working and dealing with the spoofing then you need to look at another one. There is no magic solution to dealing with spam, what works for one may not work for another. Everyone gets large amounts of spam, it is how they deal with it that is the key.

BigRed0283Author Commented:
I'm open to any suggestions. There's only so much I can do internally on my side to stem this problem. We are getting so much spam that it's shutting down our Mail Marshal server and clogging our firewall. Should I be pushing our MX records holder to see if they can do anything about this? I'm just at a loss for further steps I should be taking.

@Kieran - Our Mail Marshal server uses spamhaus and symantec for its blacklists.
Do You Have a Trusted Wireless Environment?

A Trusted Wireless Environment is a framework for building a complete Wi-Fi network that is fast, easy to manage, and secure.

MX records are just a DNS setting. Nothing else can be done by them.
If your antispam solution can't cope then perhaps you will need to look at outsourcing it.
Is your Mail Marshal system able to do recipient filtering? If so, enable that, as a lot of spam is to non valid users.

You should get a spam firewall appliance. I was able to use a barracuda spam firewall to block my own domain name from external incoming messages.
That way no one can send me e-mail from y own e-mail address.
Since the firewall only scans external incoming e-mail messages my internal users were not affected.
My domain starts with the letter A, i am usually one of the first to get hit. I've blocked reverse dns attacks, spoofs, messages sent from my domain to invalid domains and getting hit with undeliverables. For $1300 to cover 1000 mailboxes you have a solution.... look at Mail Foundry or Barracuda Network
Software solutions DO NOT work
"Software solutions DO NOT work"

What do you think an appliance is then?
It is just another piece of software installed on some custom hardware. The vendor may well have locked down the host OS, but that is about all.

BigRed0283Author Commented:
We use Mail Marshal as our spam filter, and for years it has done a pretty good job. Only recently (like the last two weeks) have we had any issues. I've turned off NDR on the exchange server, which helped quite a bit, but I'm still recieving all the NDR's from the other domains. I'm working with our DNS host to see if there is anything they can do to filter out some of these erroneous emails.

Just a note, the reason SpamHaus and SpamCop lists won't help in this matter is because the mass of NDR's we are recieving are from valid domains. I need to find a way to block the bogus senders. I think if I find out how to do that, I will make millions.
By software solutions i mean bs applications like symantec or cloudmark you add to your exchange server or microsoft os.
Unless a dedicated machine/hardware just for spam, it just doesn't stop sh*t
what do you use Mr. 30,575?
"the mass of NDR's we are receiving are from valid domains"

This is the real problem - and it is mostly out of your control. The main problem is those who do not setup their antispam software correctly and accept the email then NDR it. I believe at least one of the appliances has this as their default configuration which is quite simply ridiculous and would make me doubt the rest of the product. At the very least every appliance and antispam application should do recipient validation as a minimum.

Not really a lot you can do about it as you have to accept the NDRs for your domain.

As for what I use - Vamsoft ORF is the primary tool, using greylisting. That knocks out about 80% of the spam, with IMF in either Exchange 2003 or Exchange 2007 soaking up the rest. I have that combination in place at a number of sites, including my home system and it works very well. No blacklists involved.

Alas they will not help with this solution because the NDRs are valid. There is no way that they can be blocked without putting the server doing the blocking at risk of blacklisting.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.