From owner-freebsd-questions@FreeBSD.ORG Thu Oct 16 14:52:57 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D215E1065690 for ; Thu, 16 Oct 2008 14:52:57 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA09.emeryville.ca.mail.comcast.net (qmta09.emeryville.ca.mail.comcast.net [76.96.30.96]) by mx1.freebsd.org (Postfix) with ESMTP id B441A8FC19 for ; Thu, 16 Oct 2008 14:52:57 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA11.emeryville.ca.mail.comcast.net ([76.96.30.36]) by QMTA09.emeryville.ca.mail.comcast.net with comcast id TRYh1a0010mlR8UA9Ssx7D; Thu, 16 Oct 2008 14:52:57 +0000 Received: from koitsu.dyndns.org ([69.181.141.110]) by OMTA11.emeryville.ca.mail.comcast.net with comcast id TSsv1a00H2P6wsM8XSsv2X; Thu, 16 Oct 2008 14:52:57 +0000 X-Authority-Analysis: v=1.0 c=1 a=xV6OIcyWy4YA:10 a=q5Nov78KhrQA:10 a=gmDo1nssAAAA:8 a=QycZ5dHgAAAA:8 a=vgrxzUf3AiQHwnRmQ1UA:9 a=B1Bm3sORNgYyKvj1YWwA:7 a=5s8rQYQrcm6pVYQ2Qq9DMp0ofMwA:4 a=_f2F64XixNwA:10 a=m8HZnNHtt64A:10 a=lLiVljKw9QgA:10 a=EoioJ0NPDVgA:10 a=cxGlk9zFKLcA:10 a=7pGOCF1mIgkA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id 50D63C9419; Thu, 16 Oct 2008 07:52:55 -0700 (PDT) Date: Thu, 16 Oct 2008 07:52:55 -0700 From: Jeremy Chadwick To: eculp@casasponti.net Message-ID: <20081016145255.GA12638@icarus.home.lan> References: <20081016090102.17qwm4xcs6f4so8ok@intranet.casasponti.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20081016090102.17qwm4xcs6f4so8ok@intranet.casasponti.net> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-questions@freebsd.org Subject: Re: I've just found a new and interesting spam source - legitimate bounce messages X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Oct 2008 14:52:57 -0000 On Thu, Oct 16, 2008 at 09:01:02AM -0500, eculp@casasponti.net wrote: > In the last hour, I've received over 200 legitimate bounce messages from > email services as a result of someone having used or worse is using my > email address in spam from multiple windows machines and ip addresses. > The end result is that I am getting the bounce messages. I'm sure that > others on this list have experienced the problem and maybe have a > solution that I don't have. > > The messages are allowed through my obspamd/pf and pf smtp bruteforce > blocking rules because they are completely legit. > > I guess the work around is to filter them on incoming together with our > local bounce messaages util the spammers get tired of my address. The term coined for this type of mail is "backscatter". There is no easy solution for this. The backscatter article on postfix.org, for example, caused our mail servers to start rejecting mail that was generated from PHP scripts and CGIs on our own systems, which makes no sense. The article: http://www.postfix.org/BACKSCATTER_README.html If the backscatter is all directed to a single Email address (rather than a series of addresses, e.g. sdfkjhsfjkksjdf@yourdomain.com, and you have *@yourdomain.com accepted), then a solution is to reject mail with an RCPT TO of an account or virtual address that does not exist on your machine. This, of course, has a wonderful side effect: spammers now have a way to detect what Email addresses on your box legitimately accept mail, thus once they find one which never gets a bounceback, will start pounding that address to kingdom come. Let me know if you do find a reliable, decent solution that does not involve SPF or postfix header_checks or body_checks. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |