I use Mailscanner with the configerver front end. Accounts are set up with a default mail address of :fail:
Yet someone with a lot of IP addresses is mailbombing an account on my box with thousands of emails addressed to nonexistent mailboxes on that account and the mail is not being :fail:ed (rejected) but accepted, not scanned, and bounced. Since the return addresses are mostly gmail accounts (which also don't exist) gmail rejects it as spam and blocks my server.
I have examined the settings carefully and cannot see how this could be happening. Most of the email has a subject something like
"Environmental representative needed" or words to that effect (they vary)
Banning IP addresses only works until they switch to another one.
Given the way :fail: is supposed to work, I don't see how these are getting in.
Moreover, I went into mailwatch and selected many of these, then marked them as spam. This had no effect. The system said they were being checked for tokens, but the next batch of such messages came in also without apparently being checked. MailScanner says it is running, and other messages are indeed being scored and pink, red, or black listed appropriately, but not these. The DC said outgoing messages were not being scanned and that they had set that setting, yet it was (apparently, according to the MSFE) already set. Moreover, these messages are incoming, not outgoing.
Is anyone else seeing this? Surely if must be more widespread than just my box. At the h=eight of the attacks I was getting over 10 000 messages like this a day, all with fake gmail or google.com return addresses. Many (perhaps all, I haven't checked) say the domain lookup has failed. At the suggestion of the DC I instituted mandatory DKIM checks, and thius seemed to reduce the problem, but in the last couple of days it is heating up again.
Any suggestions from mail experts?