Back to Community Threads
Spam attack from one IP to one email address
Question asked by Mike Mulhern - 3/18/2021 at 6:52 AM
Unanswered
M
I had 28,000 spam messages sent from one outside IP address to one mailbox.

Questions to hopefully learn from those more experienced than me.  

1.    I blacklisted SMTP for the spam IP in Security > Blacklist.  Is there a better way to handle this?
2.    Is there a way to configure Smartermail to detect such attacks (say something like 200 emails in 1 hour from the same ip, block the emails) moving forward?
3.    What is the best way to delete the bad messages from spool short of deleting in 200 message chunks, which is what I did.  Maybe go to the directory in the SM server and delete out of spool there?
4.    Which is the best place to report the IP to help prevent the same thing happening to someone else?

Thank you for any and all help you might provide.
Kyle Kerst Replied
3/18/2021 at 4:30 PM
Employee Post
Hey Mike! Just chiming in here to get you some feedback to get started with. 

1.    I blacklisted SMTP for the spam IP in Security > Blacklist.  Is there a better way to handle this? <-- This is a great first step! I'd also set session timeouts on the protocols to force those blacklistings in to place sooner.

2.    Is there a way to configure Smartermail to detect such attacks (say something like 200 emails in 1 hour from the same ip, block the emails) moving forward? <-- You can set up throttling on the domain/user accounts, and can implement a system event under Settings>Events which will notify you when the spool count is above X number of messages. 

3.    What is the best way to delete the bad messages from spool short of deleting in 200 message chunks, which is what I did.  Maybe go to the directory in the SM server and delete out of spool there? <-- The quickest way to purge the spool is using these instructions here: https://portal.smartertools.com/kb/a3228/my-spool-is-full-of-pending-messages_-what-do-i-do.aspx Once you have a new spool, you can use the Windows search functionality to find/delete all of the same messages, then drop the remaining EML files into C:\SmarterMail\Spool\Drop to process them again successfully. 

4.    Which is the best place to report the IP to help prevent the same thing happening to someone else? <-- This one I am not sure on unfortunately. That being said though, spammers like these frequently have many IPs available to them in their pool as they're leveraging previously compromised legitimate servers, and simply move to another account/server/IP when they get blocked. One good step though is to look up the host provider associated with the IP and report it to their abuse@ contact. Hopefully with enough reports their security departments can identify some pattern to it and correct the underlying issue. Perhaps others can comment on this one specifically and provide better guidance. 

I hope this helps get you going in the right direction! Have a good one Mike!
Kyle Kerst
Lead Internal Network/System Administrator
SmarterTools Inc.
M
Mike Mulhern Replied
3/19/2021 at 6:59 AM
Thanks Kyle!
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
SmarterMail and Network Address Translation (NAT)SmarterMail > Troubleshooting
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Key Feature and Version Milestones in SmarterMailSmarterMail
Configure SmarterMail as a Backup MX ServerSmarterMail > Installation and Configuration
554 Error - MTA Poor Reputation FixesSmarterMail > Troubleshooting