Stopping Email Bomb - Any Ideas?

This is the area for a general support questions, discussions and information that you can read and share. Post your experiences, stats and tricks and tips that are not covered elsewhere. Remember, for questions please search the FAQ first, as your question may already be answered.

Moderators: wizard, magicspam

Post Reply
JasonS
Posts: 19
Joined: Wed Jan 09, 2019 8:42 am
Location: Leesburg, Va
Contact:

Stopping Email Bomb - Any Ideas?

Post by JasonS » Thu Jun 15, 2023 9:57 am

I am having issues with 2 of my email accounts, it seems that someone is sending an email bomb to them. This has happened 3 times this month, with over 5000+ emails.

I caught a lot of them coming from the MailChimp network and I ended up blocking 1000 of their IPs, and that seemed to stop the bomb, but 2 days later it started again just not as bad.

The emails come from all over the world and have random subjects and bodies and come from duplicate domains (a few hundred different domains) and duplicate IPs but change frequently (if that makes any sense). They keep the inbound low enough that it does not seem to trigger the rate limiter though. I see a bunch of them are coming from Amazon, Google, and the country of Chile. I have blocked Chile in the "Country Authentication Restrictions" but I am afraid if I enable "Source Based Authentication Restrictions" it will affect good email.

I have also noticed that a lot ... a lot of these emails are on dbl.spamhaus.org and spam.dnsbl.sorbs.net but again I am afraid if I move from "FLAG" to "ON" for "dbl.spamhaus.org and spam.dnsbl.sorbs.net" it will catch a lot of good emails as well.

If anyone has any ideas I am open.

A nice feature to add would be to have another setting where you can divert emails like this to a "Quarantine" folder in the MagicSPAM directory that we can browse through in the dashboard instead of just tagging and passing to the MTA for processing. I personally would rather search a list of "Quarantined" emails and move them to the MTA manually (or delete them) as needed and create an exception from there if we find that it is an okay email even though the sender is possibly on a shared platform that is "questionable".

magicspam
Posts: 1563
Joined: Tue Oct 28, 2008 2:27 pm

Re: Stopping Email Bomb - Any Ideas?

Post by magicspam » Fri Jun 16, 2023 6:07 pm

Hello Jason,

Thank you for contacting us.

Based on our understanding, two email accounts hosted on your server have been on the receiving end of three separate email bombs this month which has flooded these mailboxes with over 5000 spam messages. The vast majority of sources for these email bombs were MailChimp networks but blocking their IPs only lessened the severity of the email bomb rather than stop it entirely. Did we understand your correctly?

Spam leakage from MailChimp networks are harder to deal with spam policies and reputation lists as their email servers are properly configured and their networks fall under the too-big-to-block category.

Since there isn't any discernible pattern to target to block the spam from these email bombs at first glance, you will want to try the Log Replay feature that can help to identify the policies to be enabled in order to block certain uncaught spam. For more information on the Log Replay feature, please refer to this forum post:

Replay Feature - Easy way to deal with uncaught spam

As a MagicSpam customer, you have access to our Threat Research team who would be able to analyze any provided uncaught spam samples. For more information, please refer to our forum post on the topic at:

How can I get help with uncaught spam?

If you are able to provide us with this information over email, we many be able to comment further and provide you with more solutions. Note that you don't have to provide us with every single spam from these email bombs, just provide us with enough of a sampling for us to better grasp the situation.

Note that authentication restrictions are meant to prevent compromised accounts from sending outbound spam, rather than stopping inbound spam from being delivered.If you want to block inbound emails sent from a specific country, you can use the Sender Country Blacklist.
MagicSpam Admin Panel >> Anti-Spam >> Exemptions >> Sender Country Blacklist
Otherwise, it should be safe to enable the Country Authentication Restrictions and Source Based Authentication Restrictions. For more information about our authentication security features including the authentication restrictions, please refer to this forum post:

Email Authentication Security Feature Guide

Lastly, we have created a new development ticket to allow quarantined emails to be delivered to a centralized mailbox that can be viewed from the MagicSpam Admin Panel such that false positives can be released and delivered to the recipient. The development ticket has been brought to the attention of our product team for further consideration.

Please let us know if you have any other questions.
-- MagicSpam Support Team --

Post Reply

Return to “General Discussions and Support Questions”

Who is online

Users browsing this forum: No registered users and 13 guests