There is a domain on my server receiving 9GB a day in spam.

1) each message is from a different IP
2) each message is from a different Sender
3) we get the same message up to 25 times
4) over 1000 emails in a few minutes
5) I can't track the IPs or users to anything
6) The only similarity is in the From "name", they all appear to be fraudulent people's names.
7) we tried doing a block sender, and Yahoo now blocked our entire server for excessive invalid email addresses.
8) several of the fake emails had Yahoo addresses, causing the block.

How do I stop this? How do I find the origin of these senders? If it stays at this rate, I will have to pay nearly $3000 in bandwidth overages from my provider. That's an expensive Spam problem.

If spammers think it's free to Spam, let me send you my bill!!

Pull the plug first, figure out solution later. Each minute you keep that thing online you're going to put forth some more cash because of the spam.

That's my say...

Rather than pulling the plug and affecting all clients, why not just suspend that domain and bounce all the e-mails?

If it's all to same domain, thime to kill that domain.

I had the same problem. I removed formmail.pl from that domain and the SPAM stopped. The problem could be the same, maybe you have a vulnerable version of formmail.pl in the cgi-bin folder.

3) we get the same message up to 25 times


If it is the same body, or the body contains the same link, why not just filter them at the server?

MMM,

Could just add SpamAssasin + RBL checking. :)

Stuart

You can submit e-mails to here http://www.spamcop.net/ and they will locate the spammers network and contact the admins of the network, data center, and servers for you. It's a free service.

Why not just change the MX entry. If using cPanel it creates a host localhost.domain.com. point your mx entry to that.
Who ever is spaming will give up because it's pointless trying to send mail to 127.0.0.1 :D

Would you care to post a copy of the message headers please?

I'm surprised that he hasn't suspended the domain... assuming its all to one domain

Originally posted by Detroit Red
I'm surprised that he hasn't suspended the domain... assuming its all to one domain
Well dosn't mail continue to be delivered to suspended domains?

Originally posted by SpiritAu
Well dosn't mail continue to be delivered to suspended domains?
Filtering the spam at the server level will not do a lot for his bandwidth bill because all of that spam is still reaching the server. It might cut the bill in half since the filtered email will no longer be downloaded by the client.

Maybe if spam is rejected at the server when the initial delivery connection is made it could prevent the whole message from being delivered to the server.

Originally posted by codywatkins
Filtering the spam at the server level will not do a lot for his bandwidth bill because all of that spam is still reaching the server. It might cut the bill in half since the filtered email will no longer be downloaded by the client.
As SpiritAu said, just change the MX record on the domain so that it doesn't actually reach the server. The only bandwidth that will be used up is for DNS requests, which means that you'll go down from about 9GB of transfer to about 5MB of transfer per day. :)

- Matt

start using an RBL... they'll usually kill the connection to the mail server before it has a chance to send the mail. (so, maybe a hundred meg of transfer, depending on how many times it tries to connect)

there are many ways to implement this, I'll leave it up to you, since I don't know your system :)

good luck... DEATH TO SPAMMERS!

Originally posted by freakb0y
If it is the same body, or the body contains the same link, why not just filter them at the server?

Because he is getting more spam than he can block on time (40 x 25 messages in only a few minutes).

HL

Thanks for the great help. Here are a few more details:

1) I can't just shut off the domain. They are a big client, with a lot of email addresses. They would hang me out to dry if I did this.

2) I don't have access to MX records, and if I did, that would just shut off their email, which would be a problem.

3) formmail.pl did not exist, but could have, thanks for the idea there.

4) I already tried bouncing the emails, and I highly advise that nobody do this if you have the same problem. Yahoo blocked my server for all of new years day because of excessive returned emails, and AOL also sent me many many TOS notices and threatened to block the mails. Spammers use fake addresses at these providers to send, so be careful when bouncing.

I have SpamGuard on the server, but it's just not doing a thing. It doesn't seem to train very well.

Thanks for all your help!!

It's actually slowed down a little. Not as much email as there was. Logs show that it's ok for a couple of days, then they get hit again.

Heya,

Have you tried adding a bunch of Realtime Black List addresses to your mail server setup?

Stuart

... but what if he's only managing a site on some shared hosting, and he can't do stuff like that? Then he's in trouble.


What are the addresses that all the spam's getting sent to? If it's common ones like webmaster@ or admin@ or recognisable names (and the addresses are plastered all over the site) then it's not surprising, especially if the site's a fairly high profile one. This probably won't stop the current spam, but could stop future address harvesting... Tried making a PHP spamproof emailer script that only has the To: addresses held in the code, which address spiders can't harvest as they can't see? The end user gets a form, a pulldown box with the list of possible recipients, and a send button, and the email addresses get hidden from public gaze.


(what's the url of the site out of curiosity?)

Greetings:

SPAM prevention through the use of real time black hole lists can dramatically cut down on the bandwidth and disk space utilized by SPAM senders who provide no compensation for servers used.

http://moensted.dk/spam/ provides a reasonably solid list of RBL providers.

You can set up most mail servers to work with multiple RBL’s to get the most reduction in SPAM.

You do need to do your home work to ensure you are using RBL’s that will not be an imposition to your customers; and that will meet your goals.

Some RBL providers are extremely reasonable and quick to remove IP listings that should not be in their database; others may not do any removals, and some may take weeks.

While each provider should pick the RBL’s that work best for their customer mix, we’ve found spamhaus.org and spamcop.net along with rfc-ignorant.org to be among the most common in any given mix.

Our parent company, http://www.dynamicnet.net/ takes a mixed approach of using RBL’s, tagging what SPAM does come in with Spam Assassin from http://www.spamassassin.org/, and utilizing a custom enhancement to iptables which will outright block SPAM senders who fall into the category of mail bombing or mail syn flooding.

The end result, at least for our parent company and customers, is an approximate 90 to 95% reduction in SPAM, a false tag ratio of less than 1%, and a missed tag ratio of less than 5%.

Please consider enabling RBL’s on your mail server, installing Spam Assassin, and working with your firewall to handle odds and ends.

If you are in a shared hosting environment, please contact your provider requesting they take these steps.

Thank you.