Earlier today we started seeing multiple monitoring alerts from our network monitoring station suggesting that two mail servers which we manage were under considerable amounts of system load.
This became so bad that email began to be delayed and in some occasions clients attempting to connect via pop and imap were timing out… meaning that mail was unable to be retrieved … This is strange behavior and something that is really only going to occur when the system is under considerable amounts of load.
Subsequently, after completing an amount of investigation it appeared that the vast majority of the mail was destined for one specific domain, and addressed to some really suspect emails addresses which were never likely to exist such as: [email protected] – It seemed as though that email was coming in such a fast rate that it not only caused the primary mail server to become saturated with inbound connections that it was starting to also saturate the secondary mail exchange; becoming effectively a denial of service attack aimed specifically at one of our customers. The connections appeared to be originating from a number of large network blocks based primarily throughout Russia and the Ukraine. Once this was identified, we added some clever rules to our network to block this traffic and all services were restored as per usual.
Once this issues was resolved a post-mortem was carried out and some staggering numbers were discovered. During an hour period of this attack we saw somewhere in the vicinity of 96,000 messages destined for this one domain which were addressed for non-existent email addresses.
Doing the maths that runs out at 1600 message per minute or 26 SPAM messages PER SECOND!
On this basis, the next time I hear someone say “I have a spam problem!!!” after receiving 3 or 4 unwanted mesage I am probably going to have a chuckle to myself and think, you’ve got nothing! 🙂