Stopping Email Bomb - Any Ideas?
Posted: Thu Jun 15, 2023 9:57 am
I am having issues with 2 of my email accounts, it seems that someone is sending an email bomb to them. This has happened 3 times this month, with over 5000+ emails.
I caught a lot of them coming from the MailChimp network and I ended up blocking 1000 of their IPs, and that seemed to stop the bomb, but 2 days later it started again just not as bad.
The emails come from all over the world and have random subjects and bodies and come from duplicate domains (a few hundred different domains) and duplicate IPs but change frequently (if that makes any sense). They keep the inbound low enough that it does not seem to trigger the rate limiter though. I see a bunch of them are coming from Amazon, Google, and the country of Chile. I have blocked Chile in the "Country Authentication Restrictions" but I am afraid if I enable "Source Based Authentication Restrictions" it will affect good email.
I have also noticed that a lot ... a lot of these emails are on dbl.spamhaus.org and spam.dnsbl.sorbs.net but again I am afraid if I move from "FLAG" to "ON" for "dbl.spamhaus.org and spam.dnsbl.sorbs.net" it will catch a lot of good emails as well.
If anyone has any ideas I am open.
A nice feature to add would be to have another setting where you can divert emails like this to a "Quarantine" folder in the MagicSPAM directory that we can browse through in the dashboard instead of just tagging and passing to the MTA for processing. I personally would rather search a list of "Quarantined" emails and move them to the MTA manually (or delete them) as needed and create an exception from there if we find that it is an okay email even though the sender is possibly on a shared platform that is "questionable".
I caught a lot of them coming from the MailChimp network and I ended up blocking 1000 of their IPs, and that seemed to stop the bomb, but 2 days later it started again just not as bad.
The emails come from all over the world and have random subjects and bodies and come from duplicate domains (a few hundred different domains) and duplicate IPs but change frequently (if that makes any sense). They keep the inbound low enough that it does not seem to trigger the rate limiter though. I see a bunch of them are coming from Amazon, Google, and the country of Chile. I have blocked Chile in the "Country Authentication Restrictions" but I am afraid if I enable "Source Based Authentication Restrictions" it will affect good email.
I have also noticed that a lot ... a lot of these emails are on dbl.spamhaus.org and spam.dnsbl.sorbs.net but again I am afraid if I move from "FLAG" to "ON" for "dbl.spamhaus.org and spam.dnsbl.sorbs.net" it will catch a lot of good emails as well.
If anyone has any ideas I am open.
A nice feature to add would be to have another setting where you can divert emails like this to a "Quarantine" folder in the MagicSPAM directory that we can browse through in the dashboard instead of just tagging and passing to the MTA for processing. I personally would rather search a list of "Quarantined" emails and move them to the MTA manually (or delete them) as needed and create an exception from there if we find that it is an okay email even though the sender is possibly on a shared platform that is "questionable".