From owner-freebsd-questions@FreeBSD.ORG Mon Oct 20 15:24:40 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 784C21065671; Mon, 20 Oct 2008 15:24:40 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-in06.adhost.com (mail-in06.adhost.com [216.211.128.136]) by mx1.freebsd.org (Postfix) with ESMTP id 4B7A78FC17; Mon, 20 Oct 2008 15:24:40 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from ad-exh01.adhost.lan (exchange.adhost.com [216.211.143.69]) by mail-in06.adhost.com (Postfix) with ESMTP id 93A6716482E; Mon, 20 Oct 2008 08:24:38 -0700 (PDT) (envelope-from mksmith@adhost.com) MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft Exchange V6.5 x-cr-hashedpuzzle: FHKR IOnE LVTM L1xC MWL+ P4JU QmXC TJmp UniR U9Un Xaei YQ4a grn/ iVpE i4mt lGVw; 3; ZQBjAHUAbABwAEAAYwBhAHMAYQBzAHAAbwBuAHQAaQAuAG4AZQB0ADsAZgByAGUAZQBiAHMAZAAtAHEAdQBlAHMAdABpAG8AbgBzAEAAZgByAGUAZQBiAHMAZAAuAG8AcgBnADsAawBvAGkAdABzAHUAQABmAHIAZQBlAGIAcwBkAC4AbwByAGcA; Sosha1_v1; 7; {383A769B-91CF-46A0-A489-E4C829B95D91}; bQBrAHMAbQBpAHQAaABAAGEAZABoAG8AcwB0AC4AYwBvAG0A; Mon, 20 Oct 2008 15:24:28 GMT; UgBFADoAIABJACcAdgBlACAAagB1AHMAdAAgAGYAbwB1AG4AZAAgAGEAIABuAGUAdwAgAGEAbgBkACAAaQBuAHQAZQByAGUAcwB0AGkAbgBnACAAcwBwAGEAbQAgAHMAbwB1AHIAYwBlACAALQAgAGwAZQBnAGkAdABpAG0AYQB0AGUAYgBvAHUAbgBjAGUAIABtAGUAcwBzAGEAZwBlAHMA x-pgp-mapi-encoding-version: 2.5.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="PGP_Universal_7A899A4F_B0BB0C71_1403F6CE_F0301BB5" x-cr-puzzleid: {383A769B-91CF-46A0-A489-E4C829B95D91} x-pgp-encoding-format: MIME x-pgp-encoding-version: 2.0.2 Content-class: urn:content-classes:message Date: Mon, 20 Oct 2008 08:24:28 -0700 Message-ID: <17838240D9A5544AAA5FF95F8D52031604D8C7BA@ad-exh01.adhost.lan> In-Reply-To: <20081016145255.GA12638@icarus.home.lan> X-MS-Has-Attach: X-MS-TNEF-Correlator: thread-topic: I've just found a new and interesting spam source - legitimatebounce messages thread-index: AckvnwE+KWJH4lpOQcKNweEV14Q6IgDKCIOg References: <20081016090102.17qwm4xcs6f4so8ok@intranet.casasponti.net> <20081016145255.GA12638@icarus.home.lan> From: "Michael K. Smith - Adhost" To: "Jeremy Chadwick" , Cc: freebsd-questions@freebsd.org Subject: RE: I've just found a new and interesting spam source - legitimatebounce messages X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Oct 2008 15:24:40 -0000 --PGP_Universal_7A899A4F_B0BB0C71_1403F6CE_F0301BB5 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: QUOTED-PRINTABLE > The term coined for this type of mail is "backscatter". >=20 > There is no easy solution for this. The backscatter article on > postfix.org, for example, caused our mail servers to start rejecting > mail that was generated from PHP scripts and CGIs on our own systems, > which makes no sense. The article: >=20 > http://www.postfix.org/BACKSCATTER_README.html >=20 > If the backscatter is all directed to a single Email address (rather > than a series of addresses, e.g. sdfkjhsfjkksjdf@yourdomain.com, and > you have *@yourdomain.com accepted), then a solution is to reject > mail with an RCPT TO of an account or virtual address that does not > exist on your machine. >=20 > This, of course, has a wonderful side effect: spammers now have a way to > detect what Email addresses on your box legitimately accept mail, thus > once they find one which never gets a bounceback, will start pounding > that address to kingdom come. >=20 > Let me know if you do find a reliable, decent solution that does not > involve SPF or postfix header_checks or body_checks. >=20 The following doesn't fix the problem but it does help mitigate the deluge.= We use a PERL script to tail our maillogs looking for any source IP that = tries to send mail to more than 4 invalid addresses. When flagged, that IP= is then added to a PF table that blocks the address and issues RST's for 1= 2 hours. Of course, we also have a whitelist for "valid" SMTP servers. Li= ke I said, it doesn't catch it all, but it catches *a lot* and generates al= most no complaints. This does help obfuscate the valid/invalid addresses b= ecause all mail is accepted as far as the sender is concerned until the IP = is blocked at the network layer. =20 The usual complaint is from an remote office that has 12 real estate agents= behind a single IP, all with Outlook set to check mail "sooner than now." = :-) Mike --PGP_Universal_7A899A4F_B0BB0C71_1403F6CE_F0301BB5 Content-Type: application/pgp-signature; name="PGP.sig" Content-Transfer-Encoding: 7BIT Content-Disposition: attachment; filename="PGP.sig" -----BEGIN PGP SIGNATURE----- Version: 9.9.0 (Build 397) iQEVAwUBSPyirPTXQhZ+XcVAAQhUVwgAvkh0zo+M/P7YDvCGSobTqajUIQE72wOL IiPVPNcT4DmtZNKwIodxuGrzhNS1UyIh4lt1ZR5sWbvRcSHArWNvOpKvSOoCuXrR VbAIBKEMOHq+MKXhhMEU/hF5nDXnZqjNUYQydbBNhfYC3daIy/YcvdcSRXb8lzFk LTYuhI5Yc3yQ+lW6WV4v8FvIrhn3xJtsx3lXObYn0RsCgle2+ZxklCDX2NMkG2CC gun1S4eIZNy+R7wYO35NAzB39Q+nGp7MjJFbcZqaldU52ZSe5p3SgSx4UN2aIa/4 63qnSf+Z+vEbVmaKfhWhIXMsgBJUbdazgiR8D+zVVBibuT1Y+hCtwg== =NsGg -----END PGP SIGNATURE----- --PGP_Universal_7A899A4F_B0BB0C71_1403F6CE_F0301BB5--