Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1776
Views
5
Helpful
5
Replies

Email bomb filters

Phil Bradley
Level 4
Level 4

‎10-26-2019 04:32 AM

Does anyone have any filters to apply for email bombs/flooding that they could share? I have implemented quite a few content and message filters but still see a lot of these come through. I have temporarily created a whitelist of domains based on a dictionary that can send to the user until the flooding hopefully settles down.

Labels:
0 Helpful
5 Replies 5

marc.luescherFRE
Spotlight
Spotlight

‎10-28-2019 12:06 AM - edited ‎10-28-2019 12:06 AM

The most effective way to deal with mail bombs is to slow the sender down as much as possible, This will make delivering email to your domain very costly to them in terms of CPU time.

 

For this you create a mail flow policy like Trottled_Slow_Down

 

Max. Messages Per Connection: 1

Max. Recipients Per Message: 3-5

Max. Concurrent Connections From a Single IP: 1

 

under mail flow

Max. Recipients Per Hour: 2

 

be careful with rate limits for senders and leave them default first.

 

The rest should match your normal mail flow policy for accepted. The create a HAT matching this mail flow policy and add the corresponding hostnames or IP addresses. You can still create now a basic message filter to drop such messages if needed but you will see some of the bad actors will stop very quickly when they start seeing mail queues at their end.

 

I hope that helps

 

 

-Marc

Phil Bradley
Level 4
Level 4
In response to marc.luescherFRE

‎10-28-2019 01:40 PM

Thanks for the reply. I will try to implement some of these above. One of the issues is that they are using bots to register on thousands of sites so the emails are coming from many servers/ip addresses. 

0 Helpful

marc.luescherFRE
Spotlight
Spotlight
In response to Phil Bradley

‎10-28-2019 01:56 PM

Can you work with SRBS or SDR to get them caught or are there any other similarities you can work with ?

0 Helpful

Mathew Huynh
Cisco Employee
Cisco Employee
In response to marc.luescherFRE

‎10-28-2019 04:26 PM

I agree with marc.

If you're able to obtain some details about region or domains, typically SBRS / SDR should help - if there is commonality then geolocation + other aspects can assist as well.

However is there is a sample set of tracking results that can be looked at - it will open more avenues of other potential workarounds.

Regards,
Mathew
0 Helpful

Phil Bradley
Level 4
Level 4
In response to Mathew Huynh

‎10-31-2019 06:02 AM

So I have a case opened with TAC and we have utilized various tools. We created a aggressive spam filtering for the user and this helped some by lowering the SBRS score. We are also utilizing GEO as well but most of these are coming from legit sites/countries. The interim solution has been to apply a white-list for the user.

0 Helpful
Customers Also Viewed These Support Documents