preventing a DDOS attack using maillist

I have a mail list: (names are changed to protect the innocent)
maillist has seven user emails associated with it.

I believe that I am a victim of a DDOS attack.
Someone was sending out a massive email campaign using an aliased email account where the recipients believe it was from

When all of the receiving email domains sent back their non-response, no-user, or other denial for delivery, it all came back to the mail list address, which then duplicated across the seven emails.

Has anyone ever suffered this before?
How do you protect against this, when your server is not sending the outbound emails, and someone is masquerading their email as your own?

Evan CutlerVolunteer Chief Information OfficerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
indeed sounds like the backscatter of the non delivery dos (mostly due to reply-to address is faked) - sort of incorrect automated bounce messages sent by mail servers, typically as a side effect of incoming spam. Such systems that generate email backscatter can end up being listed on various DNSBLs and be in violation of internet service providers' Terms of Service.

Mail servers can handle undeliverable messages in three fundamentally different ways:

> Reject. A receiving server can reject the incoming email during the connection stage while the sending server is still connected. If a message is rejected at connect time with a 5xx error code then the sending server can report the problem to the real sender cleanly.

>Drop. A receiving server can initially accept the full message, but then determine that it is spam, and quarantine it - delivering to "Junk" or "Spam" folders from where it will eventually be deleted automatically. This is common behaviour, even though RFC 5321 says: "...silent dropping of messages should be considered only in those cases where there is very high confidence that the messages are seriously fraudulent or otherwise inappropriate..."

>Bounce. A receiving server can initially accept the full message, but then determine that it is spam or to a non-existent recipient, and generate a bounce message back to the supposed sender indicating that message delivery failed.
a good description and run through in this article on the use case (figure 1) similar to yours
In many of the NDN messages received, the authors found internal information of the organization's infrastructure which is valuable for an attacker to find specific vulnerabilities and to fine tune an attack
Measures are not silver bullet though
- Do not accept mail for invalid recipients
- Limit the maximum number of recipients
- Generate few error messages/small error messages

The current configuration and design processes of secondary or out-sourced SMTP mail services increase the number of viable domains that can be used as DoS agents. It is a simple process of abusing multiple SMTP services to cause a Distributed DoS (DDoS) that would increase the impact on the target. Given the possibilities with payload multiplication factors, should an organization host their main SMTP services in-house, network bandwidth saturation is also possible causing a DoS of all Internet connectivity.
MS exchange has some config for Recipient Filtering and SpamAssassin has Bounce Ruleset. There is quick sharing of CDN and filtering for DoS defence as well.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David Johnson, CD, MVPOwnerCommented:
all that you can do is ensure that your mx record is correct, you have an spf defined. if you want you can filter these messages and delete / move them so that the forum doesn't get overwhelmed.
btanExec ConsultantCommented:
The SMTP protocol does not support authentication of the sender address. As a result, email messages can claim to be coming from any valid email address. These email messages can be difficult to block as it is not straightforward to distinguish between a legitimate NDR and one generated by spam.

Others staretgy used for protecting SMTP include scans NDR emails by making use of the existing Anti-spam features, such as the Bayesian Filter, DNS Blacklists, Sender URI RealTime Blocklists and Keyword Checking. By the way, permanently disabling NDRs is generally not recommended.

For info, I understand that GFI MailEssentials, make use of the Directory Harvesting feature on the Gateway to drop email messages and NDRs sent to non-existent users.  If the NDR makes it past these protection mechanisms, then the email message is checked against the “NewSender” feature. This feature allows end users to receive only legitimate non-delivery reports, thus allowing them to focus on actual work rather than cleaning up the mailbox.

Other useful info
How to Report a DDoS Attack -
Email Bombing and Spamming -
Evan CutlerVolunteer Chief Information OfficerAuthor Commented:
Thanks much.
This helps alot.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.