A customer suffered from this kind of ndr flooding 2 years ago. All its valid email addresses where looking like "[EMAIL PROTECTED]". Rejecting any mail sent to "[EMAIL PROTECTED]" but "[EMAIL PROTECTED]" and "[EMAIL PROTECTED]" at the firewall level saved their bandwidth and administration overhead. I guess that's the kind of filter you already have implemented ? If the forged from address is one of your valid email addresses, chances are you'll have to call the police department.
Anti-spam email client (netscape 7.1/mozilla 1.4) or anti-spam server based on bayasian filtering could filter out most of these ndr flood. Unfortunatly, it would not save your bandwidth.
Our customer faced this issue a few time after buying a foreign company and the flood was about 100 mails per second. It lasted about 6 months.
Kip Sr. wrote:
For the past 10 days, our mail exchange server has
been getting flooded with emails. It appears that an
attacker is sending out tons of spam through various
open relays and using our address
([EMAIL PROTECTED]) in the return path. so
essentially, all bounced emails are coming back to our
mail server - we're seeing about 30,000 NDRs per day.
I am using filters to delete the incoming email, but
does anyone else have any other ideas on how to get
this stopped? Since the NDRs are coming from
legitimate sources, checking for open relays wont do
me any good.
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
