One of our user domains has just been heavily hit by *huge* quantities of Non-Delivery Receipts addressed to random_string(a)domain_name. At it's peak we were seeing around 50,000 NDR's coming in per hr. The worst has passed (<fingers crossed>), but this does raise a couple of issues with the current Internet mail infrastructure. A good discussion of the attack and surrounding issues can be found here at http://www.gossamer-threads.com/lists/spf/discuss/17041. In a nutshell we need Sender Policy Framework (http://spf.pobox.com/) - or something similar ASAP. There is nothing that could stop this happening to us again tomorrow. I don't think I've ever felt so powerless. RBL lists proved useless in the line of defense, as these messages were coming from legitimate sources. We were able to temporarily remove a few IP's here and there where the remote MTA were going overkill throwing these NDR's at us. It would seem that the original spambots that delivered the original message sent it just about everywhere. An interesting stat is that we received NDR's for atleast 352,423 unique recipients (<352,423 unique strings>@domain)!!! We only had a number of things at our disposal to do to limit the damage: Stop generating any 'unknown user' NDR responses ourselves (ignoring RFC876). Split the affected domain away from the rest of our incoming mail stream and then to start removing obvious NDR's from the isolated queues. Remove more NDR's from the queue. <repeat last step again> <and again>... <etc...> Has anyone seen something similar? Did you manage to locate a better solution? I can't say I've enjoyed the last couple of days one bit! Spencer. -- Systems Engineer Compass Communications http://www.compass.net.nz