CMS Logo Home Page Click Computer Mail Services, Inc. CMS Home Page
Computer Mail Services, Inc.
Software / Services / eMail Tools: IP Address Blocking, Spam Filtering, Log Data Mining and DNS Blacklist Monitoring
TELEPHONE: 248.352.6700 or 800.883.2674 (USA Only) FOR SALES AND OTHER INFORMATION...

Products
BL-Monitor
ES-Insight
XE-Filter
Praetor Software
OTHER LINKS
FAQ
Downloads
Price Quotes
Purchasing/Forms
ROI/Spam Calculator
News/Analysis
Press Release
Comments
Support
About CMS

RECENT CMS BLOGS

Spam, Bacon and Ice Cream eMail

Golf, Miami Housing and Cristal Champagne

Twitter, Facebook, LinkedIn and eMail Spam

Visit CMS Blog...

CMS XML Button

Google
Web CMS

CMS A Microsoft Certified Partner

Privacy Policy
Trademarks / Logos
Site Map
 

Denial-of-Service Spam Attacks

Using XE-Filter to Prevent Spammers from Overwhelming Your Mail Server

Go to XE-Filter Main

Download XE-Filter Trial

Pricing / Purchasing

What is a "Denial-of-Service" or DoS spam attack?

Spammers sometimes send a flood of traffic that overwhelms an email server.  The result is sluggish email delivery, delaying legitimate messages from reaching their intended recipients on your network.

This sluggish effect is compounded if your mail server queries a free DNS blacklist server such as Spamhaus and Spamcop.  These servers are usually distant and response times to each query may add several hundred milliseconds.  Also, these servers may slow down their response time if too many queries originate from your mail server in a short period. 

Having these IP sessions active during a denial-of-service attack will quickly exhaust a machine's network resources and your mail server may become unable to receive inbound connection attempts from legitimate sources.  In extreme cases, a mail server can crash when system resources are depleted.

What causes a "Denial-of-Service" attack?

CMS technicians have detected among customers at least three situations that give rise to a DoS spam attack:

Botnets

A large number of PCs are unknowingly infected and participate in what is know as "botnets".  Under spammer control, the PCs can send millions of spam messages.

One CMS customer used XE-Filter to block 1.3 million botnet generated email messages in a single 24 hour period.

NDR Blowback (Backscatter Spam)

When their domain name was hijacked by a spammer, a CMS customer blocked 1.1 million NDR messages in a single day.

Directory Harvesting

While not technically a spam attack, spammers connect to a mail server and use a dictionary of common names and their variations to determine if the auto-generated email addresses are valid.

Directory Harvesting Examples
Mike.Smith@YourDomain.com
MSmith@YourDomain.com
Smith.Mike@YourDomain.com
SmithM@YourDomain.com

Multiplying this by millions of test addresses and with connected sessions lasting hours will produce the same effect as a DoS attack.

Why shouldn't I rely on Microsoft's "Tarpit"?

For Exchange 2003 sites, recipient filtering and the "Tar Pit Technique" are Microsoft's solutions to Reverse NDR and Directory Harvest attacks.

CMS Technicians do not recommend following this tactic since it slows SMTP operations, stretching the connection time of the mail session.  In the event of a DoS attack, the Tar Pit will quickly consume a mail server's resources.

Microsoft themselves are aware of the limitations of the Tar Pit Technique and issued this warning...

"If you enable the tar pit feature, you should carefully monitor the performance of your SMTP server.

Additionally, you should analyze the traffic patterns on the server to make sure that tar pitting is not disrupting or delaying ordinary traffic."

What are the symptoms of a DoS spam attack?

Any mail server can be the target of a DoS spam attack and often the early stages of the attack are unnoticed until real damage is done to your email communications.  Symptoms include...

Slow or no delivery of email from external senders

External senders complain your mail server is unreachable

Noticeable and sudden increase in unaccountable inbound email traffic

There are many current connection queues (hundreds) with excessive duration times (thousands of seconds)

Excessive administrative time dealing with email related issues (ex. mail server crashes and restarts).

How does XE-Filter stop a DoS spam ttack?

XE-Filter protects your email server from a DoS spammer attack before any damage is done.  It will filter incoming messages at the SMTP protocol level and "prevent" reception of unwanted email.


Click to Enlarge

Providing six layers of email protection, XE-Filter's primary defense against DoS attacks is the testing of a message's mail server's IP address. 

If the sender's IP fails any XE-Filter test, the email is refused before it ever reaches your email server.

When refusing the email transmission attempt, XE-Filter returns a permanent and fatal error code causing the sending mail server to generate a non-delivery notice to the sender.  Your mail server, with XE-filter, does not waste its time receiving messages from this spam attack and so does not deplete its resources to the spammer's benefit.

Case Study: A Flood of DoS Spam

A small West Coast trucking company (25 corporate email mailboxes) was suddenly overwhelmed with with a flood of spam.  If XE-Filter was not in place, their email capabilities and servers would have ground to a halt, succumbing to the DoS spam.

The first three weeks of March saw their XE-Filter stop an average of over 1 million unwanted messages every day.   

Eventually, CMS believes that the originators of the DoS Spam Attack, realized that their efforts to breach the security of this small company were unsuccessful and the flood of spam subsided.

For more XE-Filter information...
[ Home ]   [ About CMS ]   [ Site Map ]   [ Support ]   [ Downloads ]   [ FAQ ]   [ News ]   [ Press Release ]
[ XE-Filter ]   [ ES-Insight ]   [ BL-Monitor ]   [ Praetor Software ]   [ Ad Sponsorship ]

Send mail to Webmaster with questions or comments about this web site.
Copyright 2011 Computer Mail Services, Inc.