From owner-freebsd-questions@FreeBSD.ORG Thu Oct 16 17:19:14 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9ED4B1065692 for ; Thu, 16 Oct 2008 17:19:14 +0000 (UTC) (envelope-from eculp@casasponti.net) Received: from ns2.bafirst.com (72-12-2-19.static.networktel.net [72.12.2.19]) by mx1.freebsd.org (Postfix) with ESMTP id 530058FC1E for ; Thu, 16 Oct 2008 17:19:14 +0000 (UTC) (envelope-from eculp@casasponti.net) Received: from casasponti.net ([201.155.7.3]) by ns2.bafirst.com with esmtp; Thu, 16 Oct 2008 12:19:10 -0500 id 000D52D3.48F7778F.00002120 Received: from localhost (localhost [127.0.0.1]) (uid 80) by casasponti.net with local; Thu, 16 Oct 2008 12:18:36 -0500 id 00130D08.48F7776C.00010C08 Received: from dsl-189-190-8-164.prod-infinitum.com.mx (dsl-189-190-8-164.prod-infinitum.com.mx [189.190.8.164]) by intranet.casasponti.net (Horde Framework) with HTTP; Thu, 16 Oct 2008 12:18:36 -0500 Message-ID: <20081016121836.17qwm4xcs6kgwg88w@intranet.casasponti.net> Date: Thu, 16 Oct 2008 12:18:36 -0500 From: eculp@casasponti.net To: freebsd-questions@freebsd.org References: <20081016090102.17qwm4xcs6f4so8ok@intranet.casasponti.net> <20081016145255.GA12638@icarus.home.lan> In-Reply-To: <20081016145255.GA12638@icarus.home.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (5.0-cvs) X-Remote-Browser: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.17) Gecko/20080925 Firefox/2.0.0.17 X-IMP-Server: 201.155.7.3 X-Originating-IP: 189.190.8.164 X-Originating-User: eculp@casasponti.net Subject: Re: I've just found a new and interesting spam source - legitimate bounce messages X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Oct 2008 17:19:14 -0000 Jeremy Chadwick escribi=F3: > On Thu, Oct 16, 2008 at 09:01:02AM -0500, eculp@casasponti.net wrote: >> In the last hour, I've received over 200 legitimate bounce messages from >> email services as a result of someone having used or worse is using my >> email address in spam from multiple windows machines and ip addresses. >> The end result is that I am getting the bounce messages. I'm sure that >> others on this list have experienced the problem and maybe have a >> solution that I don't have. >> >> The messages are allowed through my obspamd/pf and pf smtp bruteforce >> blocking rules because they are completely legit. >> >> I guess the work around is to filter them on incoming together with our >> local bounce messaages util the spammers get tired of my address. > > The term coined for this type of mail is "backscatter". > > There is no easy solution for this. The backscatter article on > postfix.org, for example, caused our mail servers to start rejecting > mail that was generated from PHP scripts and CGIs on our own systems, > which makes no sense. The article: > > http://www.postfix.org/BACKSCATTER_README.html Thanks for the article, Jeremy. I hadn't seen it. > If the backscatter is all directed to a single Email address (rather > than a series of addresses, e.g. sdfkjhsfjkksjdf@yourdomain.com, and > you have *@yourdomain.com accepted), then a solution is to reject > mail with an RCPT TO of an account or virtual address that does not > exist on your machine. > > This, of course, has a wonderful side effect: spammers now have a way to > detect what Email addresses on your box legitimately accept mail, thus > once they find one which never gets a bounceback, will start pounding > that address to kingdom come. > > Let me know if you do find a reliable, decent solution that does not > involve SPF or postfix header_checks or body_checks. I wish ;) Thanks again, ed > > -- > | Jeremy Chadwick jdc at parodius.com | > | Parodius Networking http://www.parodius.com/ | > | UNIX Systems Administrator Mountain View, CA, USA | > | Making life hard for others since 1977. PGP: 4BD6C0CB | > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.or= g" >