cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1775
Views
5
Helpful
5
Replies

Email bomb filters

Phil Bradley
Level 4
Level 4

Does anyone have any filters to apply for email bombs/flooding that they could share? I have implemented quite a few content and message filters but still see a lot of these come through. I have temporarily created a whitelist of domains based on a dictionary that can send to the user until the flooding hopefully settles down.

5 Replies 5

marc.luescherFRE
Spotlight
Spotlight

The most effective way to deal with mail bombs is to slow the sender down as much as possible, This will make delivering email to your domain very costly to them in terms of CPU time.

 

For this you create a mail flow policy like Trottled_Slow_Down

 

Max. Messages Per Connection: 1

Max. Recipients Per Message: 3-5

Max. Concurrent Connections From a Single IP: 1

 

under mail flow

Max. Recipients Per Hour: 2

 

be careful with rate limits for senders and leave them default first.

 

The rest should match your normal mail flow policy for accepted. The create a HAT matching this mail flow policy and add the corresponding hostnames or IP addresses. You can still create now a basic message filter to drop such messages if needed but you will see some of the bad actors will stop very quickly when they start seeing mail queues at their end.

 

I hope that helps

 

 

-Marc

Thanks for the reply. I will try to implement some of these above. One of the issues is that they are using bots to register on thousands of sites so the emails are coming from many servers/ip addresses. 

Can you work with SRBS or SDR to get them caught or are there any other similarities you can work with ?

I agree with marc.

If you're able to obtain some details about region or domains, typically SBRS / SDR should help - if there is commonality then geolocation + other aspects can assist as well.

However is there is a sample set of tracking results that can be looked at - it will open more avenues of other potential workarounds.

Regards,
Mathew

So I have a case opened with TAC and we have utilized various tools. We created a aggressive spam filtering for the user and this helped some by lowering the SBRS score. We are also utilizing GEO as well but most of these are coming from legit sites/countries. The interim solution has been to apply a white-list for the user.