Hi all,

I've got a wee problem here.

A primary school I work for has become a victim of a bit of a DoS attack, where a spammer somewhere is sending massive amounts of spam with seemingly all of them having something_random@this_school.school.nz as the FROM address.
(replace this_school with the domain name of the primary school affected)

As a result the mailserver is getting bombarded with bounce messages - about one every 3-5 seconds. It started at 4:50pm last night and is still going as I type, it hasn't let off at all.

They're on a rather expensive wireless connection so I've been able to deflect the attack to my own server at home by shutting down the school's mail server for now - mine's their backup MX.

I've put a few lines in my script that processes messages for spaminess and viruses to dump the message without wasting CPU if it happens to have an empty sender addy in the envelope (as per a bounce message) and has the school's domain name anywhere in the message.

I've also just now set up a hard SPF record - "v=spf1 ip4:school's.public.IP.address -all", and am hoping this'll slow down this flood in case the spammer is still at it.

Does anyone have any further ideas as to what I can do stem this flood of bounce messages? Or do I just have to ride the storm now? Occasionally in there *is* a legitimate message.

Any ideas appreciated! I'd like to get on top of this before Xnet kill my account - lotsa incoming connections from lotsa different hosts, it does look dodgy!

Thanks everyone,

Andrew

PS: PM me if you want specifics like the school's domain which I've omitted here - I'd be interested if anyone's noticed much spam purporting to be from our domain.

PPS: Looking at the messages themselves (contained in the bounces), they appear to be coming from a botnet. They're definitely not coming from the school itself.