I've just found a new and interesting spam source -
legitimatebounce messages
Beech Rintoul
beech at freebsd.org
Mon Oct 20 09:16:33 PDT 2008
On Monday 20 October 2008, Michael K. Smith - Adhost said:
> > The term coined for this type of mail is "backscatter".
> >
> > There is no easy solution for this. The backscatter article on
> > postfix.org, for example, caused our mail servers to start
> > rejecting mail that was generated from PHP scripts and CGIs on
> > our own systems, which makes no sense. The article:
> >
> > http://www.postfix.org/BACKSCATTER_README.html
> >
> > If the backscatter is all directed to a single Email address
> > (rather than a series of addresses, e.g.
> > sdfkjhsfjkksjdf at yourdomain.com, and you have *@yourdomain.com
> > accepted), then a solution is to reject mail with an RCPT TO of
> > an account or virtual address that does not exist on your
> > machine.
> >
> > This, of course, has a wonderful side effect: spammers now have a
> > way to detect what Email addresses on your box legitimately
> > accept mail, thus once they find one which never gets a
> > bounceback, will start pounding that address to kingdom come.
> >
> > Let me know if you do find a reliable, decent solution that does
> > not involve SPF or postfix header_checks or body_checks.
>
> The following doesn't fix the problem but it does help mitigate the
> deluge. We use a PERL script to tail our maillogs looking for any
> source IP that tries to send mail to more than 4 invalid addresses.
> When flagged, that IP is then added to a PF table that blocks the
> address and issues RST's for 12 hours. Of course, we also have a
> whitelist for "valid" SMTP servers. Like I said, it doesn't catch
> it all, but it catches *a lot* and generates almost no complaints.
> This does help obfuscate the valid/invalid addresses because all
> mail is accepted as far as the sender is concerned until the IP is
> blocked at the network layer.
>
> The usual complaint is from an remote office that has 12 real
> estate agents behind a single IP, all with Outlook set to check
> mail "sooner than now." :-)
>
> Mike
SpamAssassin also has a backscatter feature, you just have to enable
it. It tags backscatter and hands it off to procmail. From there you
can easily do whatever you want with the tagged mail including kick
off a script to block the offending IP. In my case I just dump it
along with any spam to /dev/null. It works so well I had to bounce a
couple of emails just to make sure it wasn't also grabbing mine.
Nope, anything I bounce gets delivered. My backscatter is now
virtually zero. Of course like everything else SpamAssassin it's
tuneable. It's a very good solution without a lot of heavy lifting.
Beech
--
---------------------------------------------------------------------------------------
Beech Rintoul - FreeBSD Developer - beech at FreeBSD.org
/"\ ASCII Ribbon Campaign | FreeBSD Since 4.x
\ / - NO HTML/RTF in e-mail | http://people.freebsd.org/~beech
X - NO Word docs in e-mail | Skype: akbeech
/ \ - http://www.FreeBSD.org/releases/7.0R/announce.html
---------------------------------------------------------------------------------------
More information about the freebsd-questions
mailing list