Date: Mon, 20 Oct 2008 08:24:28 -0700 From: "Michael K. Smith - Adhost" <mksmith@adhost.com> To: "Jeremy Chadwick" <koitsu@FreeBSD.org>, <eculp@casasponti.net> Cc: freebsd-questions@freebsd.org Subject: RE: I've just found a new and interesting spam source - legitimatebounce messages Message-ID: <17838240D9A5544AAA5FF95F8D52031604D8C7BA@ad-exh01.adhost.lan> In-Reply-To: <20081016145255.GA12638@icarus.home.lan> References: <20081016090102.17qwm4xcs6f4so8ok@intranet.casasponti.net> <20081016145255.GA12638@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
--PGP_Universal_7A899A4F_B0BB0C71_1403F6CE_F0301BB5 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: QUOTED-PRINTABLE > The term coined for this type of mail is "backscatter". >=20 > There is no easy solution for this. The backscatter article on > postfix.org, for example, caused our mail servers to start rejecting > mail that was generated from PHP scripts and CGIs on our own systems, > which makes no sense. The article: >=20 > http://www.postfix.org/BACKSCATTER_README.html >=20 > If the backscatter is all directed to a single Email address (rather > than a series of addresses, e.g. sdfkjhsfjkksjdf@yourdomain.com, and > you have *@yourdomain.com accepted), then a solution is to reject > mail with an RCPT TO of an account or virtual address that does not > exist on your machine. >=20 > This, of course, has a wonderful side effect: spammers now have a way to > detect what Email addresses on your box legitimately accept mail, thus > once they find one which never gets a bounceback, will start pounding > that address to kingdom come. >=20 > Let me know if you do find a reliable, decent solution that does not > involve SPF or postfix header_checks or body_checks. >=20 The following doesn't fix the problem but it does help mitigate the deluge.= We use a PERL script to tail our maillogs looking for any source IP that = tries to send mail to more than 4 invalid addresses. When flagged, that IP= is then added to a PF table that blocks the address and issues RST's for 1= 2 hours. Of course, we also have a whitelist for "valid" SMTP servers. Li= ke I said, it doesn't catch it all, but it catches *a lot* and generates al= most no complaints. This does help obfuscate the valid/invalid addresses b= ecause all mail is accepted as far as the sender is concerned until the IP = is blocked at the network layer. =20 The usual complaint is from an remote office that has 12 real estate agents= behind a single IP, all with Outlook set to check mail "sooner than now." = :-) Mike --PGP_Universal_7A899A4F_B0BB0C71_1403F6CE_F0301BB5 Content-Type: application/pgp-signature; name="PGP.sig" Content-Transfer-Encoding: 7BIT Content-Disposition: attachment; filename="PGP.sig" -----BEGIN PGP SIGNATURE----- Version: 9.9.0 (Build 397) iQEVAwUBSPyirPTXQhZ+XcVAAQhUVwgAvkh0zo+M/P7YDvCGSobTqajUIQE72wOL IiPVPNcT4DmtZNKwIodxuGrzhNS1UyIh4lt1ZR5sWbvRcSHArWNvOpKvSOoCuXrR VbAIBKEMOHq+MKXhhMEU/hF5nDXnZqjNUYQydbBNhfYC3daIy/YcvdcSRXb8lzFk LTYuhI5Yc3yQ+lW6WV4v8FvIrhn3xJtsx3lXObYn0RsCgle2+ZxklCDX2NMkG2CC gun1S4eIZNy+R7wYO35NAzB39Q+nGp7MjJFbcZqaldU52ZSe5p3SgSx4UN2aIa/4 63qnSf+Z+vEbVmaKfhWhIXMsgBJUbdazgiR8D+zVVBibuT1Y+hCtwg== =NsGg -----END PGP SIGNATURE----- --PGP_Universal_7A899A4F_B0BB0C71_1403F6CE_F0301BB5--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?17838240D9A5544AAA5FF95F8D52031604D8C7BA>