[Techtalk] OT: Windows NT Exchange Server has a spam problem

Magni Onsoien magnio+lc-techtalk at pvv.ntnu.no
Tue Aug 6 11:56:53 EST 2002

Raven Alder:

> It's (as far as I can tell, I'm not a Windows admin) fully patched.  Yet
> the spam persists.  It's filling up their T1 and eating almost all their
> CPU cycles.  I'd like to do them a good turn and fix their server for
> them if possible, since they found me a cool new job.  I just can't seem
> to figure it out.

Is the spam relayed through their server or is this more of a Denial of
Service attack where mail is sent in tons to (non-existant) addresses on
their domain or where (non-existant) adresses on their domain are used
as Reply-to or From, and thus they receive tons of bounces back? I guess 
the DoS-theory  is more possible, if the server is supposed to be patched 
and managed by (semi-)qualified staff, and it's unfortunately impossible 
to protect against this kind of abuse of mailaddresses :(

I had one of those DoS-attacks last week, when someone was nice enough
to launch a dictionary-attack against a domain I am admining. About
600,000 mails were received, about 95% of those to non-existant addresses.
The servers were kind of sluggish...

What I did when I discovered it, was to add the domains in the
From-field to the access-list of postfix (sendmail also have the same
capability), and mail could then be rejected at smtp-level.

But the mail still fills up the link if bandwidth is limited, and
preferably messages about rejecting mail from certain domains should not
be sent out, since the From- or Reply-To-address of the mail is probably
false too.

So one alternative solution is to ask the upstream-provider to filter
and relay incoming mail for a while, if they have capacity and bandwidth
for that (major providers probably have, on the other hand they may lack
routines for doing such jobs). Change ALL MXes for the domain to servers
at the upstream-provider (not just the primary MX, many avoid spam
filters by sending directly to the secondary MX if rejected at the
primary), add filters there and then use smtp-routes to send mail to 
the real mailserver of the domain. Use rules there to avoid receiving 
mail from anywhere but locally and the ISPs server.

This solution may be expensive, but I think it's rather efficient if the
upstream provider knows how to do it (maybe they already filter spam).

MagnI :)
sash is very good for you.

More information about the Techtalk mailing list