One of our user domains has just been heavily hit by *huge* quantities of
Non-Delivery Receipts addressed to random_string(a)domain_name. At it's peak
we were seeing around 50,000 NDR's coming in per hr. The worst has passed
(<fingers crossed>), but this does raise a couple of issues with the
current Internet mail infrastructure. A good discussion of the attack and
surrounding issues can be found here at
http://www.gossamer-threads.com/lists/spf/discuss/17041. In a nutshell we
need Sender Policy Framework (http://spf.pobox.com/) - or something
similar ASAP. There is nothing that could stop this happening to us again
tomorrow.
I don't think I've ever felt so powerless. RBL lists proved useless in the
line of defense, as these messages were coming from legitimate sources.
We were able to temporarily remove a few IP's here and there where the
remote MTA were going overkill throwing these NDR's at us. It would seem
that the original spambots that delivered the original message sent it
just about everywhere. An interesting stat is that we received NDR's for
atleast 352,423 unique recipients (<352,423 unique strings>@domain)!!!
We only had a number of things at our disposal to do to limit the damage:
Stop generating any 'unknown user' NDR responses ourselves (ignoring RFC876).
Split the affected domain away from the rest of our incoming mail stream
and then to start removing obvious NDR's from the isolated queues.
Remove more NDR's from the queue.
<repeat last step again>
<and again>...