email problem

[balloonguy]

All of a sudden I am getting emails bouncing back...
This is what the tech said - does this seem about right to those of you with more knowledge?

From what I have been able to assertain from the mail server log files is that the domain name "mail.balloonprinting.com" has been the recipient of some form of Denial Of Service attack for the last week.  I spent the entire weekend, all day yesterday and am still trying to clean up the mess they are STILL leaving behind.  I am trying very hard to understand how to thwart this and have enlisted our network guys at the colocation facility to see if they have any ideas.
 
What they appear to be doing, and I'm still collecting all of the facts, is sending out emails spoofing computers all around the world while representing themselves with a valid email address at BalloonPrinting.com.  Each email contains anywhere from 50 to 250 FAKE recipients and 50% of those fake recipients have been at YAHOO.COM.  When the attack is initiated it looks like they are sending out a few thousand emails configured in such a way. Of course our mail server and the mail servers of all the receiving domains have to work over time to deal with all the extra load of the fake accounts and if a sending domain upsets a receiving ISP then yes they will block, while most often, delay the receipt of valid mail.
 
I can only imagine what happens on Yahoos end. On this end what they did this weekend overloaded our mail server with over 435,000 invalid emails that required me to shut down the mail server until the invalid files could be removed.
 
I've identified 2 specific signatures to look for to be proactive in helping keep things clean here; but, I'm not able to control these people that are out there spoofing valid email addresses to send what appears to be valid emails.  This was at least for the short term, I'm hopeful that I can keep the external ISPs from being inundated with these fake emails.
 
I know this is not the news that you wanted to hear; but, at least know that I 'mworking to get some kind of automated test in place that will detect this specific issue quickly and avoid over loading other Internet Service Providers like Yaho

[inkman996]

All of a sudden I am getting emails bouncing back...
This is what the tech said - does this seem about right to those of you with more knowledge?

From what I have been able to assertain from the mail server log files is that the domain name "mail.balloonprinting.com" has been the recipient of some form of Denial Of Service attack for the last week.  I spent the entire weekend, all day yesterday and am still trying to clean up the mess they are STILL leaving behind.  I am trying very hard to understand how to thwart this and have enlisted our network guys at the colocation facility to see if they have any ideas.
 
What they appear to be doing, and I'm still collecting all of the facts, is sending out emails spoofing computers all around the world while representing themselves with a valid email address at BalloonPrinting.com.  Each email contains anywhere from 50 to 250 FAKE recipients and 50% of those fake recipients have been at YAHOO.COM.  When the attack is initiated it looks like they are sending out a few thousand emails configured in such a way. Of course our mail server and the mail servers of all the receiving domains have to work over time to deal with all the extra load of the fake accounts and if a sending domain upsets a receiving ISP then yes they will block, while most often, delay the receipt of valid mail.
 
I can only imagine what happens on Yahoos end. On this end what they did this weekend overloaded our mail server with over 435,000 invalid emails that required me to shut down the mail server until the invalid files could be removed.
 
I've identified 2 specific signatures to look for to be proactive in helping keep things clean here; but, I'm not able to control these people that are out there spoofing valid email addresses to send what appears to be valid emails.  This was at least for the short term, I'm hopeful that I can keep the external ISPs from being inundated with these fake emails.
 
I know this is not the news that you wanted to hear; but, at least know that I 'mworking to get some kind of automated test in place that will detect this specific issue quickly and avoid over loading other Internet Service Providers like Yaho

Funny you bring this up, I am having some issues with our mail server as well. Unfortunately I do not have a tenth on the knowledge you have and no idea how to deal with it.

In my case my email specifically all the others on the server seem to be ok for now, I am receiving hundreds of fake emails a day and the sender is someone from my contacts but the actual email is not. All the emails are yahoo as far as I can tell. The problem is none of these emails are being caught by either AT&T filters or Thunder Bird. I could be wrong also and maybe they are filtering out a lot of emails and the few hundred I am receiving are just the ones getting through.

It is getting to difficult to read my emails now being that I have to scan through boat loads of emails to root out the fakes.

I have called AT&T's hosting support and they are useless and unwilling to help, they claim the burden is on us to deal with it. I have two choices scrap my 15 years old email account and start fresh or hire some geeks that will charge my second born to solve this grrrrrrrrr.

[Gilligan]

Hey Matt... it all seems plausible and potentially legit.  IE, he's not blowing smoke up your a$$ with a bunch of over the top mumbo jumbo.

How long should it take to get resolved is beyond me.  You can get black listed with some servers or services that maintain black list and then will have to contact them to get off that black list.  That likely won't happen until this is all resolved.

Good luck man!

[balloonguy]

I spoke to my contact again today. He is a very nice guy and seems to be legitimately concerned.
Here is what he said:
Good Morning Matt,
I've been battling another spam attack against BalloonPrinting.com that started about 1:00am.  This time the attack originated from Brisbane NZ and they represented that they were postmaster@mail.balloonprinting.com.  I managed to keep over 13,000 of the files associated with the attack and will be keeping all I can in the future for use by law enforcement.  If you would like, I can ZIP them up and get you a copy of them as well.
This morning I took a very extreme set of steps with the Post Office for BalloonPrinting.com.  In our mail server Administration / Anti Spam / Connection Filters / Connection Checks Setting,  I set the system to Verify the "MAIL FROM Address", "Perform Reverse DNS Lookup for Connecting Server" and "Verify HELO / EHLO domain". If everything does not match then the connection will be rejected.  Unfortunately I won't know if this works until we go some time without another attack.  If it does not work then, I am back to the virtual drawing board.
Regarding Google bouncing the email back to you.  Do they provide you with any instructions on how to clear up the problem if it is perceived to be an error?  If so, you could try contacting  them and let them know what is going on. Let them know we are working to clear it up; but, see if they can lift whatever filter they have blocking you.  Problem is, if you are able to get someone to lift the block they have in place, the next time this attack happens your site will automatically be blocked again.
Probably not the answers you want to hear and definitely not the answers I wanted to deliver; but, Matt, I am honestly at my knowledge's end of what to do in this case.  While I would hate to lose the business there is a part of me that wants to suggest you consider a larger ISP hosting service that has the personnel resources and more importantly "skills" available to battle this.  I would rather get you to a place where you can get some reliable help than you wind up being upset with us for not being able to rectify this problem.  So, if you would like to transition somewhere else I will do everything to make that transition go smoothly. I am at your disposal.
Thank you again for your patience.  Please let me know your thoughts.
Sincerely,
Bill

I am at a loss. He is sure that this is a targeted attack and not a random incident. Has anyone ever seen this from a competitor or something like that?
Matt

[3Deep]

Someone hacked my aol account and was sending emails to everyone in my contacts, I know some folks on here got them as they call me.  What I did was delete every email contact in my aol account and it stopped.

Darryl

[balloonguy]

These are not going to my contacts. they are going to 10's of 1000's of fake email addresses. The idea is to get my ip banned from the mail servers. It is working. I can not send an email to any gmail account right now. Over the last few days I have been trying to restore my rep with yahoo, msn, aol... This sure makes it hard to communicate with clients.

[cbjamel]

Try changing your password on your email. Harder one, with more caps and numbers. See if stops then.

Shane

[mk162]

this is a different problem all together.  if it was that easy, the tech guy would have done it for him.

[Im-Magic]

We had the same problem after a denial of service attack and not only were our emails bouncing but some of our customers could no longer send emails to us (due to their internal virus protection systems)
The only way we could get around it was to move everything to another ISP, which took about a day and is a good reason why you need to separate where you get your name from (ie GoDaddy) and where you put the site. If we had of been hosted by GoDaddy we would have been screwed.

[royster13]

The only way we could get around it was to move everything to another ISP, which took about a day and is a good reason why you need to separate where you get your name from (ie GoDaddy) and where you put the site. If we had of been hosted by GoDaddy we would have been screwed.

I have never heard such a thing like that before.....Where did you get this information?  As I would like to do some research...Thanks....

[Im-Magic]

We were hosted by Supreme Server32 in Fresno (I Think) They were blackmailed and as they did not pay they were attacked over a 24 hour period. During this time all email addresses held by them were stolen and set to spam with virusus wordwide. This meant that sites like Gmail would reject emails and other sites would reject emails sent to them. By changing to another host we changed our ip address and therefore could send and recieve again.

[ebscreen]

Seems like an honest and nice guy the OP is dealing with. And his advice probably
is your best bet, switch to a larger provider, at least for the time being. I use and
love Host Gator personally.

But a nice guy like that, I'd ask him to tell me if he ever gets to the point where he can
handle stuff like this to hit me up and I'd switch back.

And yes, switching providers will get you off of the blacklist. I used to be with GoDaddy
and if the server you are hosted on also hosts questionable sites (pretty likely) you will
end up on blacklists of other ISP's. About the only thing you can do is switch hosts.