Isn’t It About Time Email Admins Just Dropped Failed Mail?

Email Admins! Don’t you think it’s time to start silently dropping mail to garbage addresses instead of mail bombing every other mail server with your bounced email junk!

There is a large number of junk emails being sent by individuals with a variety of motives from trying to get lucky when an unsuspecting recipient clicks on a “too good to be true” link in an email, to those trying to bring down a competitor’s email server by pounding the mailer with crap email to a large number of ficticious destination addresses with a variety of ficticious sender addresses from bot networks.

People have asked me, “How can anybody make money from junk email? Nobody pays attention to them!”

To be honest, I really don’t know, otherwise I might be rich! Then again, if I were a poor shlub in some third world country (with internet access… how far we have come) who makes Five to Ten bucks a month, I could do well with a small number of clicks on a large number of emails sent.

To address the other problem, which is more of a pain in the neck, that of spoofing destinataion addresses and return addresses while sending meaningless junk with no “Click Value”.

Here is a scenario to define this issue:

Email originating from a botnet (thousands of infected user pc’s around the Internet) spamming a particular domain with ficticious target addresses (i.e. jac33a4@domainone.com, becy333da@domainone.com, etc…) using spoofed return addresses from a multitude of domains typically with phoney addresses (i.e. bubba@domainspoof.com, toodl@domain2spoof.com, etc…) hits the domainone.com mail server. Since the mailserver at domainone.com doesn’t recognize the ficticious addresses it will automatically send a bounce email back to the ficticious addresses at domainspoof.com, domain2spoof.com etc. Servers at domainspoof.com and domains2spoof.com in turn resend a bounce message back to domainone.com. Eventually this looping will end but the initial spoofed email generates at least 2 more transactions. Now multiply this by 10’s of thousands of emails and bandwidth gets used up all over the place including server resources at the target and bounced domains.

A side effect to this occurs when the spoofed return addresses are from ficticious domains. What happens at this point, well the target mail server now has a queue that is growing very large because the phoney domains are not resolving and the bounces are now being queued to be tried again later. Before long, the queue gets so large the mail server starts slowing down and legitimate mail now can take hours or days to reach it’s destination. Stopping and starting the server has little effect since the queue remains large. The only recourse is to manually delete the obvious junk from the queue, which can consume several hours of work.
There is certainly nothing legitimate mailers can do with spoofed mail, especially since the junk originated from a bot!

One of the most effective ways to combat this is to silently drop the junk in the first place. No bounce, no delivery, no scanning for spam, no scanning for viri, just a quick trip to the bit bucket, /dev/null or what ever. This, depending on your mail server software, can be fairly easy to do. Procmail, milter, maildrop come to mind where an email address can be checked for validity. If the process fails drop it, otherwise, deliver the mail as usual. Since you are not using CPU traversing a large queue, scanning for spam, and scanning for viri, your server has a better chance of surviving this type of attack as it takes fewer cycles to check for a valid address and drop the junk. Also, you are not sending bounces to third party domains who were unfortunate enough to have their domain names spoofed in the return address. It’s a Win-Win situation all around.

Another thing you can do to protect yourself, though a bit more complicated, is to identify the sending IP address of the junk mail and track number of failed emails from each IP. This can result in a large number of IP addresses, depending on the botnet. Once you have identified the troublesome IP’s, you run a script to firewall those addresses from sending mail to your server. This is a bit more complicated, but can be done. You may also want to expire those IP’s after a given point of time, to compensate for those who have patched their machines or otherwise have been dropped from the botnet.

For the moment, the easiest thing to do is to drop the junk.

Of course, there is a slight downside, folks that have a problem typing a correct email address will not know if their email made it or not, but it is a small price to pay, cause after all, it is email and if it that important, they should follow-up with a phone call.

It’s time to think and act responsibly and be part of the solution and not the problem by just dropping that junk.

Best Regards.

This entry was posted on Sunday, October 15th, 2006 and is filed under General Opinion. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

My Hot Spots

How I See Things – Just Sayin'

Isn’t It About Time Email Admins Just Dropped Failed Mail?

No comments yet.

Keep this in Mind

Archives

Errata

Tags

Recent Comments

Meta