68000 junk email in mail.box

hcl-bot · April 24, 2003, 12:04am

One spammer contineously sending spam and filled up mail.box, thus killed server.It was sending to people does not even exist, and mail server responded, saying, I need to notify the sender that receiver does not exist, but the sender does not exist either. So Domino keeps trying (in my case the sender is addressed from yahoo), so keeps getting permanent error.

Anyway, any suggession of how to monitor the mail.box (right now I created 3 boxes), or stop any email coming from one source ip, and if it is continueously sending more than x email or connections? Or once it is got rejected by mail rules or by address is not listed in my configuration doc.

We got to solve this!

Any way I can program this?

Thanks!

hcl-bot · April 24, 2003, 6:16pm

Subject: 68000 junk email in mail.box

We are also dealing with this same issue. We have had at least three instances of a spammer trying to use us as a relay, and even though we don’t allow the relay, they are able to bring our server to a halt as it tries to respectfully decline the attempt and report back the problem to the bogus sender.

We have found two ways to deal with it so far. Neither are pretty and both have side effects we’d rather not accept, but we do anyway:

To eliminate the mail.box buildup problem, I have written a scheduled agent that runs on mail.box 4 times a day, against new and modified documents. It simply selects all documents with the field RoutingState equal to “DEAD” and deletes them. Lotus discourages this because some dead mail might be validly dead and you might want to know about it, but as the only admin at our company I can tell you there is NO WAY I would wade through the dead mail every day to see if any are legit. So this keeps our mail.box down to a nice reasonable size. You could probably also specify that the dead mail should be two or more days old or something like that or only run it once a week if you don’t like getting rid of it so quickly.
To eliminate our server from grinding to a complete halt when we are bombarded with SMTP connection requests, we have thought about putting in a notes.ini parameter (from the Admin help) of SMTPMaxSessions=40. This would prevent spammers from opening hundreds of connections at once and overloading our system. It has the down side of returning legitimate mail with an error message if the max session limit is reached. We haven’t tried this yet but are tempted.

Also, we have a great anti-spam package installed (spamJam from gsw.com), but that only keeps spam out of our users’ mail boxes and does nothing to stop relay attempts.

Note that I say relay “attempts”. We are blocking relays, but the failed attempts are what are killing us. It would be so great if Domino had an SMTP option to not respond to relay attempts and instead to hold the connection open so the spammers have to wait to time out before making another attempt.

Another nice feature, as you say, would be to simply ignore any messages that come from the same IP address when there are more than x in a given time period (where we can specify the amount).

If you find a better solution, please let me know.

Thanks,

Beth Villanyi

hcl-bot · April 25, 2003, 7:03am

Subject: RE: 68000 junk email in mail.box

Beth,

Rather than using an agent to purge mail.box you can set the Replication Settings to delete any documents older than 1 or 2 days. Just make sure you check the box. This will delete any held mail as well, which isn’t a problem for me but it might be for you.

Our firewall is configured to block SMTP flood attempts. If an SMTP host attempts to connect more than three times in a minute it will block them for 5 minutes. We use a Watchguard Firebox III 1000, you may want to speak to your firewall admin to see if something similar exists at the network perimeter.

Hope that helps,

Charles

hcl-bot · April 28, 2003, 10:56am

Subject: RE: 68000 junk email in mail.box

Or set Archive settings to do the same thing - delete anything older than x days without archiving. Will run with your nightly compact task.

Stephen Lister

hcl-bot · April 24, 2003, 2:49am

Subject: 68000 junk email in mail.box

Blocking mail relay/ip addresses/domains…

You can also add the email addresses to the restrictions in the configurations

document. In the server’s Names and Address book, go to the ALL SERVERS

configuration. See attached picture link on which tabs to hit in that document and

where to put email addresses. You get a lot of mail control from that tab in

the config document. You can even block entire domains. Make sure you put the

in the two shown fields.

http://216.219.252.107/nf5012.jpg

dzp

hcl-bot · April 24, 2003, 7:52am

Subject: RE: 68000 junk email in mail.box

the spammer changes their addresses all the time, so it is a waste of time to do this. I am looking for a way to find how many times the exact same email try to send to different receipients. If it exceeds a certain limit I need to know and to stop it. Or if mail.box has certain # of dead mail I also need to know!Thanks for the try!

hcl-bot · April 24, 2003, 12:14pm

Subject: Look at Admin help

Inbound Intended Recipients Controls

Field

Enter

Verify that local domain recipients exist in the Domino Directory

Specifies whether the SMTP listener checks recipient names specified in RCPT TO commands against entries in the Domino Directory

Choose one:

Enabled - If the domain part an address specified in an SMTP RCPT TO command matches one of the configured local Internet domains, the SMTP listener checks all configured directories to determine whether the specified recipient is a valid user. If all lookups complete successfully and no matching username is found, the SMTP server returns a 550 permanent failure response indicating that the user is unknown. For example:

550 bad_user@yourdomain.com … No such user

Choosing this setting can help prevent messages sent to nonexistent users (for example, spam messages and messages intended for users who have left the organization) from accumulating in MAIL.BOX as dead mail.

To avoid messages from being rejected as a result of directory unavailability, Domino accepts messages when an attempted directory lookup does not complete successfully.

To avoid unnecessary directory lookups, Domino completes the other SMTP inbound tests configured in the relay, sender, and recipient controls before verifying names in the Domino Directory.

Note When this setting is enabled, the server cannot relay mail to a smart host, because Domino rejects messages addressed to local domain recipients who are not listed in the Domino Directory.

Disabled - (default) The SMTP listener does not check whether local domain recipients specified in the RCPT TO command are listed in the Domino Directory.

hcl-bot · April 24, 2003, 8:02am

Subject: RE: Look at Admin help

This does not work!I am using domino as a gateway. All inbound are forwarded to a smart host.

In stead I use only allow certain addresses to receive email and domino will say this domain is not local so it forward them to the internal server for people to receive email. Domino is being used as a gatekeeper for black list filtering and mail rules.

My need is who has done monitoring mail.box, plus is there any way to reject a connection dynamically (I know you can put an ip in the rejection list) based on certain conditions. ex. if this guys tryes to send too many times.

The

hcl-bot · April 24, 2003, 10:48am

Subject: RE: Look at Admin help

Domino doesn’t have anything in it to do what you’re looking for. We had many of the same problems and we’ve installed a gateway product specifically for blocking SPAM and for anti-virus, etc.