As probably many of you have already experienced, we have been hit
with mailbombs with forged Hotmail (or other large provider) addresses
recently.
This has resulted in the large provider throttling our mail flow which
forces messages to be placed into our local queue for retry at a later
time. This ultimately has resulted in our customers reporting delays
in emailing such large providers (ie. Hotmail).
To protect ourselves from delayed mail, we have implemented several
system wide rules to block Autoreplies and Undeliverable messages from
being sent to the large providers. Unfortunately, this has resulted in
many complaints from customers (since it's all or nothing). We have so
far, left these rules enabled 24x7 since, the system already becomes
degraded by the time we realize an event is occurring.
I was interested to see what other techniques or steps people have
taken to protect themselves from these types of threats and whether
they have managed to handle a large #of accounts without preventing
AutoReplies and Undeliverable messages to large providers.
For instance, has anyone been able to approach such large providers
and request special handling of mail coming from their system (higher
throttling threshold for example)?
Thanks in advance,
Edward Gray
Director, Operations & Networks
Tucows.com Co.
egray@tucows.com
Edward Gray wrote:
To protect ourselves from delayed mail, we have implemented several
system wide rules to block Autoreplies and Undeliverable messages from
being sent to the large providers. Unfortunately, this has resulted in
many complaints from customers (since it's all or nothing). We have so
far, left these rules enabled 24x7 since, the system already becomes
degraded by the time we realize an event is occurring.
You might want to
* Use a mailserver that can reject rather than bounce email (that is, a mailserver where the smtpd process has a view of the userdb)
* Use a "current spam source" blocklist like cbl.abuseat.org, as well as a good open proxy blocklist like opm.blitzed.org
* Set up spamassasin to trash rather than later bounce email that does get through your filters, and has a high enough spam score.
* Do some HELO filtering (HELO hotmail.com from an IP with rDNS that doesn't say hotmail? HELO your.own.ip or HELO your.own.domain from an untrusted IP that you don't relay for / that someone hasn't authenticated from? REJECT) 
* I'd add that a simple header check to reject (or preferably, discard) any mail with the string ".mr.outblaze.com" in any Received: header will get rid of a lot of spam for you.
There are a few other things, but these will be off topic here. Please feel free to mail me offlist.
srs
There is a package that is being developed right now that basically will
squelch emails received from some domain.com address if the sending IP
address isn't in the list of permitted addresses.
Sender Permitted From (http://spf.pobox.com/) attempts to eliminate Joe
Dropping from domain.com by doing a look up on a TXT record similar to
dccnet.com. IN TXT "v=spf1 mx ptr ip4:24.207.1.0/24 -all". This would block
mail, with a FROM: address of *@dccnet.com that didn't relay through any of
the MX hosts, originate from any broadband client address (from the prt
record) or from the 24.207.1.0 Class C address space.
As this project is fairly new, there aren't many large domains making use of
it, and the tools available aren't mature enough for some email
implementations (mobile users making use of Hot Spots with SMTP Hijacking
and no submit port opened) for which the sending users IP address isn't
known. However, I do believe this project will pick up favor to help
eliminate one source of address forgery, which I believe would have helped
in your situation.
AOL had made use of this for 24 hours earlier this month and it resulted in
the blocking of a large volume of spam addressed from aol.com (not
originating from aol.com address space). Hopefully sites like yahoo,
hotmail and others
Of course the cows have left the barn, but its definitely worth looking at.
Cheers,
Aaron
Aaron Thomas [1/23/2004 8:28 AM] :
Sender Permitted From (http://spf.pobox.com/) attempts to eliminate Joe
Dropping from domain.com by doing a look up on a TXT record similar to
[...]
As this project is fairly new, there aren't many large domains making use of
it, and the tools available aren't mature enough for some email
What I described in my earlier email (helo filtering) is aimed at the same result. Only, it has to be done on a case by case basis. And it does allow road warriors.
The second way (slightly more radical, prone to a little more collateral damage, but does stop a LOT of spam) - stop accepting mail from commonly forged freemail domains if the mail originates from an IP with either
* no rDNS
* generic (dialup / cable / dsl) pattern rDNS