[Mimedefang] What to do about bounced forgeries?

[Kevin A. McGrail]

> In an earlier post David mentioned that he gets about 300 (over 250)
> "..User unknown" messages a day, but I assume that he runs a fairly low
> volume server, and I'm curious to know how many such messages are being
> seen by those of you who process in excess of 100,000 messages a day. Is
> anyone else seeing the 500Kplus messages that we are seeing.

It depends on the domain, but yes, I see spammers using our domains to sign
spams that then slams us with invalid notices. Typically, the nicer domains
(like revamp.com) get used more often than the obscure and harder to spell
domains (sloveniangenealogy.org).  I used to think that the spammers were
picking similar domains to their products (which used to happen with things
like essentialformulas.com and similar legitimate sites).  However, these
days, I really don't know what rhyme or reason they use.

We have also handled domains that are the victims of far more dictionary
attacks than the normal amount we see per domain.  In fact, one of them,
datadisc.com, we simply had to stop handling backup MX for because it was
causing on the order of 90K to 120K of bad emails per day.

Right now, in the last 60 days, we have rejected over 4.5 million emails
JUST on one server.  So yes, I see a substantial number of these emails but
no I haven't seen any spikes in activity since Nov 10th.

Unfortunately, as with DFS' opinion, I simply count this as part of the game
and continue upgrading our mail servers to handle things.  However,
considering we are on bandwidth bursting to 100Mbps and they have bursted to
using over 6Mbps of billable bandwidth before, it can be quite a costly and
resource intensive issue.

BTW, we have the same problem with incorrect forged-header virus notices
which are worthless and I hate the arguments that insist on sending them).
I don't have a good count on the number of virus notices but I know it tops
13K per day on the same server.

Regards,
KAM