I've just found a new and interesting spam source -
legitimatebounce messages
Michael K. Smith - Adhost
mksmith at adhost.com
Mon Oct 20 08:24:40 PDT 2008
> The term coined for this type of mail is "backscatter".
>
> There is no easy solution for this. The backscatter article on
> postfix.org, for example, caused our mail servers to start rejecting
> mail that was generated from PHP scripts and CGIs on our own systems,
> which makes no sense. The article:
>
> http://www.postfix.org/BACKSCATTER_README.html
>
> If the backscatter is all directed to a single Email address (rather
> than a series of addresses, e.g. sdfkjhsfjkksjdf at yourdomain.com, and
> you have *@yourdomain.com accepted), then a solution is to reject
> mail with an RCPT TO of an account or virtual address that does not
> exist on your machine.
>
> This, of course, has a wonderful side effect: spammers now have a way to
> detect what Email addresses on your box legitimately accept mail, thus
> once they find one which never gets a bounceback, will start pounding
> that address to kingdom come.
>
> Let me know if you do find a reliable, decent solution that does not
> involve SPF or postfix header_checks or body_checks.
>
The following doesn't fix the problem but it does help mitigate the deluge. We use a PERL script to tail our maillogs looking for any source IP that tries to send mail to more than 4 invalid addresses. When flagged, that IP is then added to a PF table that blocks the address and issues RST's for 12 hours. Of course, we also have a whitelist for "valid" SMTP servers. Like I said, it doesn't catch it all, but it catches *a lot* and generates almost no complaints. This does help obfuscate the valid/invalid addresses because all mail is accepted as far as the sender is concerned until the IP is blocked at the network layer.
The usual complaint is from an remote office that has 12 real estate agents behind a single IP, all with Outlook set to check mail "sooner than now." :-)
Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 474 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20081020/51654824/PGP.pgp
More information about the freebsd-questions
mailing list