Welcome to WebmasterWorld Guest from

Forum Moderators: phranque

Message Too Old, No Replies

Server Email Spam. Something must be wrong here



7:01 pm on Sep 7, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

About a year ago I started having a real influx of spam mail. I posted here at the time that someone had decided to use hundreds of email addresses all starting with a and my domain.

e.g. email messages sent to aza34323@mydomain.com, anna77777@mydomain.com, azir100@mydomain.com etc.

This was a bit of an annoyance at first as each morning the email client would download the messages and move them into the junk folder.

The solution to stop that was to turn off the catch all addressing. I was using catch all so obviously all messages were being downloaded.

Changing to explicit names (sales, information, marketing etc.) solved that mailbox influx but didn't stop the messages arriving at the server.

Knock on Effect
I thought that solution would be a double edged sword and that it would eventually stop the spam messages from reaching the server.

At the time I had assumed the spammers were using some tricks to determine if the email addresses were genuine or not. If there was no bounce from the spam email then the email adress must be genuine!

So turning off catch all meant that all those a*@mydomain.com would be rejected and that the spammers would receive thousands of bounces and then eventually remove the a*@mydomain.com from their list.

But it never happened. I'm still getting those email address - today 58,000 of them!

Maybe I got it all wrong
58,000 emails were rejected today but the average is around 35,000. That works out at nearly a quarter of a million rejects a week, 12 million a year.

That's a crazy situation to be in so clearly I made a mistake somewhere. Maybe the server is relaying, maybe I left something open somewhere.

Why do some spammers consider it worthwhile associating my server with a quarter of a million spam messages each week?


[edited by: Frank_Rizzo at 7:06 pm (utc) on Sep. 7, 2006]

[edited by: trillianjedi at 2:49 pm (utc) on Sep. 10, 2006]
[edit reason] Please repost with the specifics if needed. Ta! [/edit]


7:25 pm on Sep 7, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

Is it possible that a contact form on your website has been exploited to send spam using email form injection techniques? At those numbers it seems unlikely to me, but it would be the first thing I'd check for. See if your server logs have a lot of suspicious POST requests to any form processing scripts.


8:39 pm on Sep 7, 2006 (gmt 0)

10+ Year Member

Possible log spammers maybe?

Just make sure your MTA is set to ":fail:" unknown recipients so the load on your server is minimal.

Also, to make sure relaying is disabled, use:

If someone has uploaded a spam script on your server, it should be fairly easy to track down.


12:14 am on Sep 8, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

That relay link passes all tests fine.

There is nothing in the apache access logs to indicate a rogue script.

So what is the score here? I assumed it was a joe job scenario where a spammer has forged the from: address to make it look like mydomain is sending the mail but it is not the case!

What is happening is thousands of spams are going to a*@mydomain.co.uk and this has gone on for the best part of 10 months.

It is a crazy situation. I tried just ignoring the mail, I tried bouncing the mail but it is not receding. Maybe someone just sold 1000 duff email address with my domain in it and it will take years to clear off the list?

[edited by: Frank_Rizzo at 12:15 am (utc) on Sep. 8, 2006]


12:33 am on Sep 8, 2006 (gmt 0)

10+ Year Member

I tried just ignoring the mail

Try harder. ;-)


1:03 am on Sep 8, 2006 (gmt 0)

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

You are doing the right thing. In many configurations mail servers bounce a message--i.e. they send an error mail message back to the sender After the message has been accepted and processed--but you are sending a 550 error code directly to the sending mailer, before the message was even uploaded.

This is the best way according to the Anti Spam RFC2505 [ietf.org] because it saves bandwidth and gives the sending mailer the opportunity to correct it's error (what you hoped for).

There is not much more you can do, besides disconnecting your mail server from the internet or change domainnames.


2:49 pm on Sep 10, 2006 (gmt 0)

WebmasterWorld Senior Member trillianjedi is a WebmasterWorld Top Contributor of All Time 10+ Year Member



3:15 pm on Sep 10, 2006 (gmt 0)

10+ Year Member

I'm not really up on web-based techie stuff but could you perhaps set up an auto-responder and send em 58,000 "Thank you for your interest, will get back to you shortly" mails?

Not long term but just on the off-chance a few hours of that might encourage em to get you off their list?



5:00 pm on Sep 10, 2006 (gmt 0)

10+ Year Member

I remember reading somewhere that they are paid on per delivery so it doesn't matter if they deliver the same message to you thousands of time.

They use infected PCs so there is virtually no cost to them. The infected machine owners pay for the bandwidth.

Are you accepting the spam and then letting it bounce? If you are, you are swarming someone else inbox with bounces. They don't go through a properly MTA for sending mails, the infected PCs they own connect directly to your server to dump the spam.

Try greylisting. Block them hard enough, they will eventually disappear, not completely but they'll try less frequently. They have no motivation to waste so much time on a 'single account'.


Featured Threads

Hot Threads This Week

Hot Threads This Month