"Spencer Stapleton"
We only had a number of things at our disposal to do to limit the damage:
Stop generating any 'unknown user' NDR responses ourselves (ignoring RFC876).
It's best to do SMTP rejects for unknown users; this will help cut the load on your servers if the forged From addresses don't exist at your domain. This is relatively straightforward for most MTAs - I believe postfix can do LDAP queries against AD, or can talk to a postgresql database. Since most of the forged addresses will be nonexistent, this should help quite a bit. (Bonus - it will also stop you generating this kind of traffic for other sites in the future.) Consider publishing SPF records for the domain if you know where your mail should be coming from. Some people are talking about a RBL for hosts that send backscatter, but I don't know if it's come to anything yet, or if it will be feasible to use; possibly there will be too much legitimate mail rejected for some of us.
Has anyone seen something similar? Did you manage to locate a better solution? I can't say I've enjoyed the last couple of days one bit!
We've seen spikes where our main domain was forged into email, but only around 5-10x the usual load and not for too long. 550'ing mail to nonexistent users definitely helps. cheers, Jamie -- James Riden / j.riden(a)massey.ac.nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/