Spam is out of control

Posted on 2009-06-30
Medium Priority
Last Modified: 2013-12-09
Hello all,

I am having a serious issue. Our company has been bombarded by spam the last two weeks. Our return address is being spoofed and sending back tons of "Delivery Failure" notifications. Along with this, we are recieving an influx of other spam (like the outlook express update email) across all domains. Here is a copy of some of the headers

Return-Path: <exylvn75@touchstarsolutions.com>
Received: (qmail 29800 invoked by uid 64021); 24 Jun 2009 13:43:16 -0000
Received: from by mx1.swiftel.com.au (envelope-from <exylvn75@touchstarsolutions.com>, uid 64011) with qmail-scanner-1.24
Processed in 1.183734 secs); 24 Jun 2009 13:43:16 -0000
Received: from unknown (HELO 18924121181.user.veloxzone.com.br) (
  by mx1.swiftel.com.au with SMTP; 24 Jun 2009 13:43:15 -0000
Date: Wed, 24 Jun 2009 10:42:48 -0300
Message-Id: <4748NE34763.L00B4ABRR2451@>
From: coles@wahlstrom.com.au
To: coles@wahlstrom.com.au
Subject: Want a BetterSex Life use AcaiBerry
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0

I have tried to implement Sender Policy Framework with our DNS host, but I'm not thinking it's working since the same emails are still getting through.

We are using a WatchGuard Firewall X700 and Mail Marshal as our spam filter.

Does anyone have any suggestions on ways to filter out more of this erroneous spam? Is anyone else experiencing large amounts of this spam as well?
Question by:BigRed0283
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
LVL 10

Expert Comment

ID: 24745463
i would recommend you use someone like these guys: http://www.spamhaus.org/
and subscribe to their XBL real time blacklist http://www.spamhaus.org/xbl/index.lasso
We've used and it cut the amount of spam being handled by the mail filter system by a huge margin. the use IS free for a limited number of lookups
LVL 65

Expert Comment

ID: 24745504
If you are getting the bounce backs, then SPF isn't going to work for you either.
The real problem is the clueless network admins who are sending spam back to the sender, or accepting email for non-existent users and then attempting to reject it.

With regards to the spoofing of the email NDRs, there is little that you can do. You must accept the NDR otherwise you will get blacklisted yourself. Using a blacklist isn't going to help because it is an NDR.

If your current antispam solution isn't working and dealing with the spoofing then you need to look at another one. There is no magic solution to dealing with spam, what works for one may not work for another. Everyone gets large amounts of spam, it is how they deal with it that is the key.


Author Comment

ID: 24746099
I'm open to any suggestions. There's only so much I can do internally on my side to stem this problem. We are getting so much spam that it's shutting down our Mail Marshal server and clogging our firewall. Should I be pushing our MX records holder to see if they can do anything about this? I'm just at a loss for further steps I should be taking.

@Kieran - Our Mail Marshal server uses spamhaus and symantec for its blacklists.
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

LVL 65

Expert Comment

ID: 24746898
MX records are just a DNS setting. Nothing else can be done by them.
If your antispam solution can't cope then perhaps you will need to look at outsourcing it.
Is your Mail Marshal system able to do recipient filtering? If so, enable that, as a lot of spam is to non valid users.


Expert Comment

ID: 24759674
You should get a spam firewall appliance. I was able to use a barracuda spam firewall to block my own domain name from external incoming messages.
That way no one can send me e-mail from y own e-mail address.
Since the firewall only scans external incoming e-mail messages my internal users were not affected.
My domain starts with the letter A, i am usually one of the first to get hit. I've blocked reverse dns attacks, spoofs, messages sent from my domain to invalid domains and getting hit with undeliverables. For $1300 to cover 1000 mailboxes you have a solution.... look at Mail Foundry or Barracuda Network
Software solutions DO NOT work
LVL 65

Expert Comment

ID: 24762585
"Software solutions DO NOT work"

What do you think an appliance is then?
It is just another piece of software installed on some custom hardware. The vendor may well have locked down the host OS, but that is about all.


Author Comment

ID: 24763963
We use Mail Marshal as our spam filter, and for years it has done a pretty good job. Only recently (like the last two weeks) have we had any issues. I've turned off NDR on the exchange server, which helped quite a bit, but I'm still recieving all the NDR's from the other domains. I'm working with our DNS host to see if there is anything they can do to filter out some of these erroneous emails.

Just a note, the reason SpamHaus and SpamCop lists won't help in this matter is because the mass of NDR's we are recieving are from valid domains. I need to find a way to block the bogus senders. I think if I find out how to do that, I will make millions.

Expert Comment

ID: 24764068
By software solutions i mean bs applications like symantec or cloudmark you add to your exchange server or microsoft os.
Unless a dedicated machine/hardware just for spam, it just doesn't stop sh*t
what do you use Mr. 30,575?
LVL 65

Accepted Solution

Mestha earned 1500 total points
ID: 24765548
"the mass of NDR's we are receiving are from valid domains"

This is the real problem - and it is mostly out of your control. The main problem is those who do not setup their antispam software correctly and accept the email then NDR it. I believe at least one of the appliances has this as their default configuration which is quite simply ridiculous and would make me doubt the rest of the product. At the very least every appliance and antispam application should do recipient validation as a minimum.

Not really a lot you can do about it as you have to accept the NDRs for your domain.

As for what I use - Vamsoft ORF is the primary tool, using greylisting. That knocks out about 80% of the spam, with IMF in either Exchange 2003 or Exchange 2007 soaking up the rest. I have that combination in place at a number of sites, including my home system and it works very well. No blacklists involved.

Alas they will not help with this solution because the NDRs are valid. There is no way that they can be blocked without putting the server doing the blocking at risk of blacklisting.


Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question