Results 1 to 25 of 28
-
06-05-2005, 07:33 PM #1Newbie
- Join Date
- Jun 2005
- Posts
- 8
Urgent Help Needed: Domain being mailbombed
A little less than 2 weeks ago my web host deleted one of my domains (on a reseller account) without telling me. When I inquired about it they said that the account had received around 55,000 emails and they had to delete the account because of the server load. They agreed to move the account to a new server if I would take care of the mail problem, but they gave me absolutely NO information as to where the emails came from or anything. After only a few days the account on the new server was deleted but this time the host at least told me that it was deleted. This time the domain had received nearly 1 MILLION emails in something like 2 days. They can't (or won't??) help me out with tracking down this problem. The only information that they will give me is that this is probably a mailbomb and the emails are addressed to a variety of random addresses (none of which are real email accounts at this domain).
What causes a mailbomb, and more importantly, how do I get it to stop?? Without finding and eradicating the cause of the mailbomb this will most likely continue if/when I move the domain to a new host. There is no web host in the world that would tolerate this level of email abuse and my clients certainly don't want that much spam mail coming in and going out from their domain. Can anyone give me any clues as to what to do about this?? The web host that the domain got booted from is no help at all.
-
06-05-2005, 08:05 PM #2Web Hosting Guru
- Join Date
- Jul 2004
- Location
- Reporting Live from Marrz
- Posts
- 257
The only information that they will give me is that this is probably a mailbomb and the emails are addressed to a variety of random addresses (none of which are real email accounts at this domain).
Experts on this forum than me will give you even better input on those issues than me, but this looks to me as the not-too-well-configured mail system on the box.
-
06-05-2005, 08:18 PM #3WHT Addict
- Join Date
- May 2004
- Posts
- 168
I can help you, I've been you.
In fact, my company's domain name gets 40000 emails a day and it's on a shared account.
First of all, switch hosting companies. And not just for that domain, for everything. You're with a crappy hosting company. Here's what happened to me:
I'm have a shared account with pair.com (among others). They bothered me once and said they wanted me to add mail rules because one of my domains was getting 40000 emails a day. I had no idea because I had written perl filters for the domain that basically bounced or trashed all of it. But they wanted rules instead of a perl filter because the perl filter was "just as bad as delivering".
So anyway, I was in a similar situation because not only did I not know that this was happening, but there's no way I could see if any new rules I would try were working- only pair could get those stats "40000 emails a day". It wasn't in the cp anywhere.
So anyway, I've been working on the web professionally for 6 years so I knew they were just whining. I said "I'm not over my monthly quota right? The monthly quota includes emails, and I can see the stats for my bandwidth use in the cp. Why can't you just consider this part of my normal service- instead of taking web traffic I'm taking email traffic. I pay for email and web right?"
And also "There isn't a limit in your contract or guidelines about the quantity of email I can recieve, nor the ratio of email to port 80 traffic."
They kind of wavered a bit and just said well yea but we'd like you to fix it. I had that pair account for 5 years at that point.
So anyway I went looking for other hosts. I even emailed isp's and said "I have a domain that's getting 40000 emails a day, and hardly any web traffic. I want to sign up for a shared account with you. You got a problem with that?"
I think I asked like 3 or 4, all of them said "no problem come host with us".
I even looked into virtual servers and dedicated just for comparison. I made a post on WHT about it:
http://www.webhostingtalk.com/showth...hreadid=350758
The phrase "P2 400 with 256 ram" was taken from one of my argument emails with pair. I know exactly how much such a machine would cost and I pointed out that it could handle that volume of 40000 emails 10 times over if that was it's only job. (Since bandwidth usage isn't an issue, then what else is there- processor time?)
I told pair to either lift the threat of cancelling my account, or I'll just switch to any of the 7 other hosts that apparently have no problem with me getting that much email. But the point was- don't hang it over my head like a threat- either decide to cancel me now or decide you won't cancel me over this. I'm not promising to fix anything.
So they backed down. I later talked with one of their techs I've worked with in the past, explained how I have the perl filters set up, and he agreed there was no way for me to do that in rules instead. I'm still with pair (among other hosts).
Who's your hosting company? so I know to avoid them.
-
06-05-2005, 08:47 PM #4Web Hosting Guru
- Join Date
- Jul 2004
- Location
- Reporting Live from Marrz
- Posts
- 257
I'll just add: There are a zillion ways to implement various instruments of rejecting and validating mail flow, and as many of them should be employed before mail even gets to MTA, let alone SpamAssassin, Perl filters etc. A webhost can really do many things (as probably didn't in this case, at least looks like it from hcm2's post) to ensure efficient large-scale mail filtering with minimum possible server loads.
On this 'legally-not-protected-and-regulated-well-yet' internet, us doing legitimate businesses are under hits from various exploiting tools, techniques etc. and usually someone makes nice tools to help us defend ourselves, so in most cases - where there is a problem there is a way to solve it... if there is a will.
-
06-05-2005, 09:31 PM #5Newbie
- Join Date
- Jun 2005
- Posts
- 8
Originally posted by SupaDucta
Properly configured MTA...
Originally posted by Rotwang
Who's your hosting company? so I know to avoid them.
-
06-05-2005, 10:55 PM #6learning is in the doing
- Join Date
- Sep 2000
- Location
- Alberta, Canada
- Posts
- 3,146
MTA = Mail Transfer Agent
As a Hoster who has had and still has Clients in the same situation, I would (and do) request that 'catch-all' eMail be setup to use :fail: as the Default address for the account and/or use eMail Filters available to setup throught the Control Panel. Most any Hoster is going to have some Clients that fall into this type situation and working together is the best way to solve the problem.
With Clients using :fail: as the default eMail address and the Hoster using script(s) to prevent or stop Dictionary attacks, which we do, these type problems are easily solved.• PotentProducts.com - for all your Hosting needs
• Helping people Host, Create and Maintain their Web Site
• ServerAdmin Services also available
-
06-06-2005, 12:33 PM #7Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
Just to back up the above comment with a real life example, I had a domain moved to my server recently. When first moved, it was set to blackhole and was receiving 70,000 emails a day, nearly all spam.
We changed the settings to :fail: and within a day it went down to 48,000 and within the next 5 days the levels returned to something like a few hundred emails per day. The effect on the machine load was amazing - the load went from an average of 0.5 to 5-6 consistently with :blackhole: and dropped back down again as soon as I switched to :fail:.
I also had the dictionary attack exim config changes made - see configserver.com for a cpanel solution. I think these are primarily responsible for the spam levels dropping.
I had to laugh, I have no idea how the other server company could have been coping with that sort of spam load consistently with those settings.
And of course, in this case, a few hundred non-spam messages could easily be filtered. It's the wildcard acceptance of email plus the blackhole setting that's probably causing the problem. (And perl scripts are just as bad as blackhole). See this link for why :blackhole: doesn't work.
So, finally, to answer the original poster's request, here's a solution I'd go with:
- Check that the host you are moving to has Dictionary attack protection and work out a deal with them that they're prepared for an onslaught.
- Ensure you have :fail: set for your domain
- Turn OFF wildcard email delivery for your domain (ie don't use catchall)
The dictionary attack settings will turf out the incoming mailbomb/dictionary attack as time progresses - it may take a week or so for it to die down. You should see an immediate drop in load on the machine just by moving to using the :fail: settings, and by turning off wildcard.
In my opinion, the top hosts will actually already know this and won't need you to explain it - so search around to find someone who understands this stuff. Certainly, a good host would not delete you without explaining carefully what was happening and giving you some alternatives so definitely look elsewhere.
If you moved to me, I know I'd want something extra for taming this one, but look enough and you might find others that don't care. (The good news is that if you've been offline for a week or so the mailbomb/dictionary attack should have stopped or significantly abated).
-
06-06-2005, 12:51 PM #8Junior Guru
- Join Date
- Oct 2003
- Location
- Long Island, New York
- Posts
- 220
The above poster has just about everything correct. Only a misconfigured server will suffer horribly under an email deluge.
TWSites.com - Business Web Hosting Solutions & Server Management Since 2003
-
06-06-2005, 02:11 PM #9Web Hosting Master
- Join Date
- Jan 2002
- Location
- Scotland
- Posts
- 919
I have to disagree with some of the posts above as when the sheer volume of emails come piling in even the tightest configured server can suffer.
You may also find you are not being "mailbombed" or dictionary attacked, last year I was getting hit with upwards of 1.75 million emails a day most of which were being filtered out before delivery but it still brought 3 mailservers to their knees at times and even the best in the industry ( I know they cost enough) could not offer any real help, in fact two premium email services refused flat out to handle my domain.
In the investigation of the problem I discovered that the vast majority of emails were "bounce backs" coming from poorly configured servers rejecting emails spoofed with my domain, if this is your problem then waiting for the dictionary attack to end will be fruitless.Nil illegitimi carborundum
I'm getting old and don't do drugs. I get the same effect just standing up fast.
-
06-06-2005, 03:18 PM #10Newbie
- Join Date
- Jun 2005
- Posts
- 8
Somewhere I read something about "open relay" and that it should be turned off to prevent spamming. I forgot to bookmark the page and now I can't find it. Would turning "open relay" off also help to curb the mailbomb/spam problem, or is that a different issue altogether?
-
06-06-2005, 05:45 PM #11WHT Addict
- Join Date
- May 2004
- Posts
- 168
I don't think that's your problem here. Was your machine set up by the isp or you? It's unlikely that anyone would setup a mail server with open relay anymore. 10 years ago maybe , but not anymore.
brianoz what hosting company are you with? I want to know so I can avoid you. If I want to use catchall on my domain getting 40000 emails, and process it with a perl script, and your company wouldn't let me, I'd laugh and go to any of the other 90% of companies in the industry who'd be glad to take me, and rightfully so since it's well within the bounds of what I'd be paying for anyway. Your company sounds like one of those that offer "10 terrabytes/mo" and then cancels user's accounts when they actually use more than 10 g/mo.
-
06-06-2005, 08:39 PM #12Newbie
- Join Date
- Jun 2005
- Posts
- 8
Originally posted by brianoz
So, finally, to answer the original poster's request, here's a solution I'd go with:
- Check that the host you are moving to has Dictionary attack protection and work out a deal with them that they're prepared for an onslaught.
- Ensure you have :fail: set for your domain
- Turn OFF wildcard email delivery for your domain (ie don't use catchall)
Set Catch-All e-mail
Fail: The sender is notified that the address doesn't exist
I guess the rest of the (former) host's server settings weren't up to par.
-
06-06-2005, 10:29 PM #13Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
hcm2 - most of my comments were aimed at cpanel and exim, I can't really speak for a DirectAdmin server. It does sound like they could have done with some sort of mailbomb/dictionary attack blocks, but who knows now?
Rotwang - if you actually want to receive 40,000 emails then that would be completely another issue! However, that's pretty unusual, and in this instance it appears to have been mostly spam going to catchall addresses being processed by Perl scripts where it would have been better done by an exim :fail: so the emails didn't have to get onto the machine. If people have an actual use for that number of emails, that's fine, but if they're misusing a feature and it's impacting a server then I'd be wanting to ask them to look at doing things properly to benefit us both mutually. I'd have to wonder how a small company could actually even process 40,000 emails per day!!
And no, I don't promise 10 terabyte a day, I don't know how you made that somewhat unreasonable - and somewhat discourteous - deductive leap from anything I said!! Are you one of those customers who expects 10 terabytes a day for $2 a month? Cancelling customer accounts for resource usage is an absolute last resort and one that should never, ever be used!! A more appropriate solution is to work with the customer, providing them with the information they need to get a solution that works for both of you - after all, you want your server to be fast, right?
I think you'll find few companies would be keen to take on a domain receiving 40,000 spams a day. This is actually responsible hosting - common sense dictates that I work with my customer to help them reduce their incoming spam so other users on my servers - who don't have this problem - aren't impacted. And frankly, that's just good service, which has to be what it's all about, right? They win, and I win, and I get a customer for life, which is also what it's all about - long term partnership. The particular customer I spoke of that had 70,000 incoming spam per day was beside themselves with gratitude when the problem was resolved for them and spontaneously offered to write a testimonial for us.Last edited by brianoz; 06-06-2005 at 10:36 PM.
-
06-07-2005, 12:59 AM #14WHT Addict
- Join Date
- May 2004
- Posts
- 168
First of all, my statment wasn't that you claim 10 terrabytes and only give 5 gig, my statement was "that's like one of those companies that offers 10 terrabytes and then cancels a customer for using 5 gig". It's called a metaphor. (If I say "it sounds like you're throwing the baby out with the bathwater" are you going to ask me where I got the idea that your hosting company also provides daycare services?)
Would you or would you not pull an account for getting 70000 spam emails and choosing to process them with a perl script? If the answer is yes, then your cleverly word statements like:
"This is actually responsible hosting - common sense dictates that I work with my customer to help them reduce their incoming spam so other users on my servers - who don't have this problem - aren't impacted. And frankly, that's just good service, which has to be what it's all about, right? They win, and I win, and I get a customer for life, which is also what it's all about - long term partnership. "
The idea that you decide how a customer wants to use the resources he paid you for is nutty. Oh sure- I understand "don't break the law and don't sell porn" etc etc. But you're making judgements on what type of email you'll allow the customer to get? 40000 of this is ok but not 40000 of that? If the customer is within the bounds of what he paid for then that's that with that.
And as for this:
I think you'll find few companies would be keen to take on a domain receiving 40,000 spams a day.
-
06-07-2005, 03:32 AM #15Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
Originally posted by Rotwang
It's called a metaphor.
Would you or would you not pull an account for getting 70000 spam emails and choosing to process them with a perl script?
If, for some reason I just haven't thought of, there was no other way to handle whatever was being done with the Perl scripts then, No, I would not pull the account. Frankly, I've never pulled an account for resource abuse and I hope never to have to do so. I haven't ever threatened to do so, and would never even consider that path without discussion with the customer impacting the server. Honestly, give me a break, some of us are actually committed to serving our customers well.
The idea that you decide how a customer wants to use the resources he paid you for is nutty. ... If the customer is within the bounds of what he paid for then that's that with that.
And, no, in my case, it's not nutty. In my case, I actually do know better than (many of) my customers. I've taught sysadmin, and Perl, both professionally and at senior college level. I script in PHP, Perl, Shell, Awk/Sed, Python (rusty) and C (even rustier now). And yes, sometimes I'm arrogant! In any case, I do know these things well, and where I lack information I know the industry experts who will know (eg Chirpy, et al). In the end a real life customer actually cares more about getting the job done well than how it is done. My job is to help them find the most effective way to get the job they want done and I'm committed to that.
See my first post. I had a hard time finding companes that would reject my 40000 spams-a-day domain processing them with a perl filter.
I think the real point here is that you experienced what I would term inadequate support from your existing hosting company. If you'd had adequate support (eg: being given mail logs, etc, and good technical advice, not just "fix it or else") we wouldn't be here discussing this now. If you'd been my customer for 5 years on a reasonable plan, we would have solved the problem for you in a way that left you satisfied and delighted, as we have for others. After all, most of our marketing is done through referrals at the moment. Ripping customers off just isn't good business; creating long term partnerships is.
Cheers
ps: On completely another note, it is probably possible to process your email with Perl scripts with considerably less impact if you do it a little differently. Most of the system impact is on startup and module load time and that could be substantially reduced by running your script as a daemon. If you're interested in some ideas on how to do that, I'm happy to chat via PM.Last edited by brianoz; 06-07-2005 at 03:44 AM.
-
06-07-2005, 12:37 PM #16WHT Addict
- Join Date
- May 2004
- Posts
- 168
It's a question that doesn't make sense, and I think that's the point you're missing. It doesn't make sense to process 40,000 mail messages a day via Perl scripts - only someone who doesn't understand system admin or performance would want to do that! It poses a big load on the system, and it doesn't do the job well. There are better tools for the job, that's the point. Why would you persist in doing something the wrong way when there's no advantage to you or to the system??? Surely, as a man of reason, you wouldn't, in real life.
That catches about 85% of it. I think I could write that as a procmail filter, and I offered, but pair said no thanks, procmail is about as bad as the perl scripts.
If, for some reason I just haven't thought of, there was no other way to handle whatever was being done with the Perl scripts then, No, I would not pull the account.
I've taught sysadmin, and Perl, both professionally and at senior college level. I script in PHP, Perl, Shell, Awk/Sed, Python (rusty) and C (even rustier now). And yes, sometimes I'm arrogant!
If these other companies are so good, why didn't you change to them? I'd want to consider whether they might have 20 other customers getting 40,000 emails a day running Perl scripts and hence servers that are unbeleivably slow! Would you want them to say yes to 10 other customers like you?
-
06-07-2005, 01:39 PM #17Web Hosting Master
- Join Date
- Jul 2002
- Location
- Directadmin Core
- Posts
- 770
Originally posted by brianoz
Ahh metaphors ... thanks for the English lesson, I now consider myself educated!!!
I think the real point here is that you experienced what I would term inadequate support from your existing hosting company. If you'd had adequate support (eg: being given mail logs, etc, and good technical advice, not just "fix it or else") we wouldn't be here discussing this now.
In fact, the customer WAS given the maillogs, and they're still visible today on the txt file I posted for her:
http://www5.privatelabeldns.com/powerhors671.txt
I dont have the data to dispute your assessment of MTA configurations, this is a standard Exim configuration, with SpamAssassin 3.0.2 installed.
I've put in a support request with DirectAdmin to clarify some of these questions/claims - I expect to be hearing from them shortly.
Joe Mack
Owner
HostPC Internet Serviceshttp://www.hostpc.com
DirectAdmin servers for hosting, resellers and your dedicated needs.
Hosting, Resellers, Dedicated Managed and Unmanaged servers
Hosting since 11/98 - Specializing in DirectAdmin since 8/03
-
06-07-2005, 02:45 PM #18Newbie
- Join Date
- Jun 2005
- Posts
- 8
Originally posted by hostpc.com
That's professional, make an assumption like that before you know all the facts.
In fact, the customer WAS given the maillogs
As to your statement about providing me with maillogs: yes, you did, but to a layman this information is useless. All it does for me is prove that a lot of mail was sent to the domain from a lot of different addresses, which you already told me. It's important to note that this maillog wasn't provided until after the second attack (no information was given to me after the first attack, just a "take care of this or else" type of statement) which was after you had already deleted my account and after I pleaded for more information about what was going on. I asked for IP addresses and some example emails so I can see the headers, etc, and any other kind of information I could use but I was given nothing, and certainly not anything close to "adequate support". Had I not pleaded for more information the maillog would not have been provided. Also, my account was deleted the first time without anyone even notifying me! I wasn't told about anything until after I put in a support ticket to say that one of my sites was down and to ask if there was a server outage. Even if the second mailbomb had not occurred, not even notifying your client that their account was deleted is just extremely bad customer service at the very least.
-
06-07-2005, 04:11 PM #19Web Hosting Master
- Join Date
- Aug 2004
- Location
- Karachi, Pakistan
- Posts
- 748
Like quite a few people have pointed out, its probably a misconfigured mail-server. Check for Open-Relay, implement RDNS, SPF, try not to host any catch-all, implement a DNSBL check, turn on tarpitting, disable your retry due, disable bounce back, simply delete/reject email. This should solve a lot of your problems. Specially the RDNS and DNSBL and tarpitting.
"I drink too much. The last time I gave a urine sample it had an olive in it. ".
Rodney Dangerfield (from "I Get No Respect!").
-
06-07-2005, 07:00 PM #20Newbie
- Join Date
- Jun 2005
- Posts
- 8
Originally posted by hostpc.com
That's professional...
In fact, the customer WAS given the maillogs, and they're still visible today...
-
06-07-2005, 08:21 PM #21Senior Tech Consultant
- Join Date
- Jul 2002
- Posts
- 1,527
Yes, and it's professional to come to Web Host Trashing (aka WHT) to bitch.
As for Rotwang..well, clueless is clueless.
-
06-07-2005, 08:48 PM #22Newbie
- Join Date
- Jun 2005
- Posts
- 8
Originally posted by ArtieFishill
Yes, and it's professional to come to Web Host Trashing (aka WHT) to bitch.
I'd like to thank everyone that gave useful information and advice about this issue. Hopefully I will not run into this problem at my new host, but if I do I am assured that they will work with me to solve the problem rather than booting me with no explanation.
-
06-08-2005, 02:06 AM #23Senior Tech Consultant
- Join Date
- Jul 2002
- Posts
- 1,527
Well, I can almost guarentee that if you get mailbombed with 1 million emails, any host will remove your site.
-
06-08-2005, 02:32 AM #24Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
Goldwing: what you described is known as a joe-job and it's difficult or impossible to defend against one, you mostly have to wait till it dies down! I've heard of a few sites being closed over the years due to successful joe-jobs - what a nightmare. I suppose SPF might help, the problem being that hardly anyone implements it.
As for my friend Rotwang - you missed much of my last post, the main point being that should a problem like yours occur on a server of mine, I would solve it for my customer so they were happy, without their time or effort. You also missed that you were solving the problem the wrong way and that faster and simpler solutions are available. Of course, programmer time is a trade-off with efficiency - the actual rule is you only bother to tune where it makes a big difference - as in this case. You also missed that a quality server costs a helluva lot more than 10 accounts!!
In fact you missed so much of what I said that I'm afraid I'm going to need to use my 15 minutes of arrogance for the day all in one hit and in the words of Oscar Wilde, refuse to have a battle of wits with an unarmed man.
Cheers guys, thanks for a really interesting discussion.
-
06-08-2005, 08:08 PM #25Newbie
- Join Date
- Jun 2005
- Posts
- 8
Originally posted by ArtieFishill
Well, I can almost guarentee that if you get mailbombed with 1 million emails, any host will remove your site.