Forum Moderators: phranque
e.g. email messages sent to aza34323@mydomain.com, anna77777@mydomain.com, azir100@mydomain.com etc.
This was a bit of an annoyance at first as each morning the email client would download the messages and move them into the junk folder.
Solution
The solution to stop that was to turn off the catch all addressing. I was using catch all so obviously all messages were being downloaded.
Changing to explicit names (sales, information, marketing etc.) solved that mailbox influx but didn't stop the messages arriving at the server.
Knock on Effect
I thought that solution would be a double edged sword and that it would eventually stop the spam messages from reaching the server.
At the time I had assumed the spammers were using some tricks to determine if the email addresses were genuine or not. If there was no bounce from the spam email then the email adress must be genuine!
So turning off catch all meant that all those a*@mydomain.com would be rejected and that the spammers would receive thousands of bounces and then eventually remove the a*@mydomain.com from their list.
But it never happened. I'm still getting those email address - today 58,000 of them!
Maybe I got it all wrong
58,000 emails were rejected today but the average is around 35,000. That works out at nearly a quarter of a million rejects a week, 12 million a year.
That's a crazy situation to be in so clearly I made a mistake somewhere. Maybe the server is relaying, maybe I left something open somewhere.
Why do some spammers consider it worthwhile associating my server with a quarter of a million spam messages each week?
<snip>
[edited by: Frank_Rizzo at 7:06 pm (utc) on Sep. 7, 2006]
[edited by: trillianjedi at 2:49 pm (utc) on Sep. 10, 2006]
[edit reason] Please repost with the specifics if needed. Ta! [/edit]
Just make sure your MTA is set to ":fail:" unknown recipients so the load on your server is minimal.
Also, to make sure relaying is disabled, use:
[abuse.net...]
If someone has uploaded a spam script on your server, it should be fairly easy to track down.
There is nothing in the apache access logs to indicate a rogue script.
So what is the score here? I assumed it was a joe job scenario where a spammer has forged the from: address to make it look like mydomain is sending the mail but it is not the case!
What is happening is thousands of spams are going to a*@mydomain.co.uk and this has gone on for the best part of 10 months.
It is a crazy situation. I tried just ignoring the mail, I tried bouncing the mail but it is not receding. Maybe someone just sold 1000 duff email address with my domain in it and it will take years to clear off the list?
[edited by: Frank_Rizzo at 12:15 am (utc) on Sep. 8, 2006]
I tried just ignoring the mail
Try harder. ;-)
This is the best way according to the Anti Spam RFC2505 [ietf.org] because it saves bandwidth and gives the sending mailer the opportunity to correct it's error (what you hoped for).
There is not much more you can do, besides disconnecting your mail server from the internet or change domainnames.
Not long term but just on the off-chance a few hours of that might encourage em to get you off their list?
P.
They use infected PCs so there is virtually no cost to them. The infected machine owners pay for the bandwidth.
Are you accepting the spam and then letting it bounce? If you are, you are swarming someone else inbox with bounces. They don't go through a properly MTA for sending mails, the infected PCs they own connect directly to your server to dump the spam.
Try greylisting. Block them hard enough, they will eventually disappear, not completely but they'll try less frequently. They have no motivation to waste so much time on a 'single account'.
