Massive attack from chinese urls 163.com


#1

I am currently under a massive email blast attack to random emails on my server from chinese websites. Hundreds of these emails are pouring in. What do I do? How do I block domains?

It looks like a secondary domain I added never had the DNS records updated for on the MIAB and thus no email authentication is happening and someone is spoofing as my email sever and I am getting the bounce back handlers pouring in. WTF?


#2

What you are describing sounds like backscatter spam? Is it actually getting to your end users inboxes or just hitting the server. Can the server cope with the traffic?


#3

It’s going to all the fake mailboxes it spoofed as and not real mailboxes. Obviously I am getting these all in my catchall email. My server is a basic intel Atom so no it cannot cope with all this traffic. After changing the DNS it seems to have stopped for the moment but IDK if it will start again.

If it gives 500 mailbox doesn’t exist errors within 5 minutes I am just picturing the massive volume of mail that is actually making it to the right destination. The reputation of my email server could be killed in a matter of minutes :frowning:


#4

This sounds like one of the reasons that many argue against using a catch-all address.

I do not think that the reputation of your email server will be killed as long as the spam is not originating from it. Have you investigated the source of the spam and initiated abuse complaints?


#5

your reputation should be fine with reputable and sane RBL. Backscatter is not spam it is the fallout from spam. I use MX Toolbox’s blacklist checker. sign up to their free weekly checker or check manually when ever you want.

https://mxtoolbox.com/blacklists.aspx

you can also do some configuration to Postfix to reduce the problem. However, you will probably need to reset after each MiaB update.

http://www.postfix.org/BACKSCATTER_README.html


#6

I use a spam pre-filter service, which makes this type of stuff easy… They deal with it instead of me. I’m using fusemail (previously postlayer). Its like $13/year I think for 10 accounts (with unlimited aliases).
I also use it as a SMTP relay, which helped me not be on all the blacklists for running a small unknown server in an IP range that had previously been used for spamming (I run on a vps, and can’t control previous owners of the IP’s habits)…
On my previous mail server (not MIAB), I had some scripts setup to pull IP ranges for all problem foreign countries (including China, HK, RU, IRan, etc…), and add them to IPTables to drop those packets, which helped a great deal… (of course if I had legitimate interests in those countries, that would not have been so feasible… or at least I’d have had to add a whitelist section into the script and gotten their IP ranges)