Date: Mon, 20 Oct 2008 08:24:28 -0700 From: "Michael K. Smith - Adhost" <mksmith@adhost.com> To: "Jeremy Chadwick" <koitsu@FreeBSD.org>, <eculp@casasponti.net> Cc: freebsd-questions@freebsd.org Subject: RE: I've just found a new and interesting spam source - legitimatebounce messages Message-ID: <17838240D9A5544AAA5FF95F8D52031604D8C7BA@ad-exh01.adhost.lan> In-Reply-To: <20081016145255.GA12638@icarus.home.lan> References: <20081016090102.17qwm4xcs6f4so8ok@intranet.casasponti.net> <20081016145255.GA12638@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] > The term coined for this type of mail is "backscatter". > > There is no easy solution for this. The backscatter article on > postfix.org, for example, caused our mail servers to start rejecting > mail that was generated from PHP scripts and CGIs on our own systems, > which makes no sense. The article: > > http://www.postfix.org/BACKSCATTER_README.html > > If the backscatter is all directed to a single Email address (rather > than a series of addresses, e.g. sdfkjhsfjkksjdf@yourdomain.com, and > you have *@yourdomain.com accepted), then a solution is to reject > mail with an RCPT TO of an account or virtual address that does not > exist on your machine. > > This, of course, has a wonderful side effect: spammers now have a way to > detect what Email addresses on your box legitimately accept mail, thus > once they find one which never gets a bounceback, will start pounding > that address to kingdom come. > > Let me know if you do find a reliable, decent solution that does not > involve SPF or postfix header_checks or body_checks. > The following doesn't fix the problem but it does help mitigate the deluge. We use a PERL script to tail our maillogs looking for any source IP that tries to send mail to more than 4 invalid addresses. When flagged, that IP is then added to a PF table that blocks the address and issues RST's for 12 hours. Of course, we also have a whitelist for "valid" SMTP servers. Like I said, it doesn't catch it all, but it catches *a lot* and generates almost no complaints. This does help obfuscate the valid/invalid addresses because all mail is accepted as far as the sender is concerned until the IP is blocked at the network layer. The usual complaint is from an remote office that has 12 real estate agents behind a single IP, all with Outlook set to check mail "sooner than now." :-) Mike [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: 9.9.0 (Build 397) iQEVAwUBSPyirPTXQhZ+XcVAAQhUVwgAvkh0zo+M/P7YDvCGSobTqajUIQE72wOL IiPVPNcT4DmtZNKwIodxuGrzhNS1UyIh4lt1ZR5sWbvRcSHArWNvOpKvSOoCuXrR VbAIBKEMOHq+MKXhhMEU/hF5nDXnZqjNUYQydbBNhfYC3daIy/YcvdcSRXb8lzFk LTYuhI5Yc3yQ+lW6WV4v8FvIrhn3xJtsx3lXObYn0RsCgle2+ZxklCDX2NMkG2CC gun1S4eIZNy+R7wYO35NAzB39Q+nGp7MjJFbcZqaldU52ZSe5p3SgSx4UN2aIa/4 63qnSf+Z+vEbVmaKfhWhIXMsgBJUbdazgiR8D+zVVBibuT1Y+hCtwg== =NsGg -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?17838240D9A5544AAA5FF95F8D52031604D8C7BA>