Solved

Spam is out of control

Posted on 2009-06-30
9
1,341 Views
Last Modified: 2013-12-09
Hello all,

I am having a serious issue. Our company has been bombarded by spam the last two weeks. Our return address is being spoofed and sending back tons of "Delivery Failure" notifications. Along with this, we are recieving an influx of other spam (like the outlook express update email) across all domains. Here is a copy of some of the headers

Return-Path: <exylvn75@touchstarsolutions.com>
Received: (qmail 29800 invoked by uid 64021); 24 Jun 2009 13:43:16 -0000
Received: from 189.24.121.181 by mx1.swiftel.com.au (envelope-from <exylvn75@touchstarsolutions.com>, uid 64011) with qmail-scanner-1.24
(
Clear:RC:0(189.24.121.181):.
Processed in 1.183734 secs); 24 Jun 2009 13:43:16 -0000
Received: from unknown (HELO 18924121181.user.veloxzone.com.br) (189.24.121.181)
  by mx1.swiftel.com.au with SMTP; 24 Jun 2009 13:43:15 -0000
Date: Wed, 24 Jun 2009 10:42:48 -0300
Message-Id: <4748NE34763.L00B4ABRR2451@189.24.121.181.touchstarsolutions.com>
From: coles@wahlstrom.com.au
To: coles@wahlstrom.com.au
Subject: Want a BetterSex Life use AcaiBerry
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0

I have tried to implement Sender Policy Framework with our DNS host, but I'm not thinking it's working since the same emails are still getting through.

We are using a WatchGuard Firewall X700 and Mail Marshal as our spam filter.

Does anyone have any suggestions on ways to filter out more of this erroneous spam? Is anyone else experiencing large amounts of this spam as well?
0
Comment
Question by:BigRed0283
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 10

Expert Comment

by:Kieran_Burns
ID: 24745463
i would recommend you use someone like these guys: http://www.spamhaus.org/
and subscribe to their XBL real time blacklist http://www.spamhaus.org/xbl/index.lasso
We've used and it cut the amount of spam being handled by the mail filter system by a huge margin. the use IS free for a limited number of lookups
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24745504
If you are getting the bounce backs, then SPF isn't going to work for you either.
The real problem is the clueless network admins who are sending spam back to the sender, or accepting email for non-existent users and then attempting to reject it.

With regards to the spoofing of the email NDRs, there is little that you can do. You must accept the NDR otherwise you will get blacklisted yourself. Using a blacklist isn't going to help because it is an NDR.

If your current antispam solution isn't working and dealing with the spoofing then you need to look at another one. There is no magic solution to dealing with spam, what works for one may not work for another. Everyone gets large amounts of spam, it is how they deal with it that is the key.

Simon.
0
 
LVL 2

Author Comment

by:BigRed0283
ID: 24746099
I'm open to any suggestions. There's only so much I can do internally on my side to stem this problem. We are getting so much spam that it's shutting down our Mail Marshal server and clogging our firewall. Should I be pushing our MX records holder to see if they can do anything about this? I'm just at a loss for further steps I should be taking.

@Kieran - Our Mail Marshal server uses spamhaus and symantec for its blacklists.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24746898
MX records are just a DNS setting. Nothing else can be done by them.
If your antispam solution can't cope then perhaps you will need to look at outsourcing it.
Is your Mail Marshal system able to do recipient filtering? If so, enable that, as a lot of spam is to non valid users.

Simon.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Expert Comment

by:Nemskinator
ID: 24759674
You should get a spam firewall appliance. I was able to use a barracuda spam firewall to block my own domain name from external incoming messages.
That way no one can send me e-mail from y own e-mail address.
Since the firewall only scans external incoming e-mail messages my internal users were not affected.
My domain starts with the letter A, i am usually one of the first to get hit. I've blocked reverse dns attacks, spoofs, messages sent from my domain to invalid domains and getting hit with undeliverables. For $1300 to cover 1000 mailboxes you have a solution.... look at Mail Foundry or Barracuda Network
Software solutions DO NOT work
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24762585
"Software solutions DO NOT work"

What do you think an appliance is then?
It is just another piece of software installed on some custom hardware. The vendor may well have locked down the host OS, but that is about all.

Simon.
0
 
LVL 2

Author Comment

by:BigRed0283
ID: 24763963
We use Mail Marshal as our spam filter, and for years it has done a pretty good job. Only recently (like the last two weeks) have we had any issues. I've turned off NDR on the exchange server, which helped quite a bit, but I'm still recieving all the NDR's from the other domains. I'm working with our DNS host to see if there is anything they can do to filter out some of these erroneous emails.

Just a note, the reason SpamHaus and SpamCop lists won't help in this matter is because the mass of NDR's we are recieving are from valid domains. I need to find a way to block the bogus senders. I think if I find out how to do that, I will make millions.
0
 

Expert Comment

by:Nemskinator
ID: 24764068
By software solutions i mean bs applications like symantec or cloudmark you add to your exchange server or microsoft os.
Unless a dedicated machine/hardware just for spam, it just doesn't stop sh*t
what do you use Mr. 30,575?
0
 
LVL 65

Accepted Solution

by:
Mestha earned 500 total points
ID: 24765548
"the mass of NDR's we are receiving are from valid domains"

This is the real problem - and it is mostly out of your control. The main problem is those who do not setup their antispam software correctly and accept the email then NDR it. I believe at least one of the appliances has this as their default configuration which is quite simply ridiculous and would make me doubt the rest of the product. At the very least every appliance and antispam application should do recipient validation as a minimum.

Not really a lot you can do about it as you have to accept the NDRs for your domain.

As for what I use - Vamsoft ORF is the primary tool, using greylisting. That knocks out about 80% of the spam, with IMF in either Exchange 2003 or Exchange 2007 soaking up the rest. I have that combination in place at a number of sites, including my home system and it works very well. No blacklists involved.

Alas they will not help with this solution because the NDRs are valid. There is no way that they can be blocked without putting the server doing the blocking at risk of blacklisting.

Simon.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now