John Heim wrote:
I'm running a system with about 300 users. I run pflogsumm every night
to generate mail log stats. The bounce detail lists 300 - 400 servers
rejecting mail because the user is unknown. The vast majority of servers
has 1 or 2 such rejections. This puzzles me. My users can't possibly
be sending out that many mis-typed addresses.
Upon further investigation, I have found that what is happening is that
this is essentially backscatter from forwarded spam. When one of my
users sets up a forward or if we configure an alias for them, spam is
just sent off to their new address. If the server at the new address
rejects it as spam, as it should, my mta tries to bounce it back to the
original recipient which, of course, is made up.
Get it? Somebody tries to spam [EMAIL PROTECTED] and user12 has his
mail forwarded to his gmail account. Gmail detects the spam, rejects the
message and my mta then generates a bounce back to the original forged
from address.
I don't see anything in the backscatter howto about this. I believe my
machine is properly configured to not generate normal (for lack of a
better term) backscatter. I mean, it doesn't bounce incoming spam. But
this is almost like spam coming from inside my own system.
Right. This is one of the evils of forwarding. It's
unfortunate that forwarding is so useful...
The best solution to this problem is to stop the spam from
entering your system in the first place. Standard suggestions
include using an RBL or two and using SpamAssassin or other
content filter on whatever passes the RBLs. If you
tag+deliver spam, don't forward mail tagged as spam.
And yes, I understand that it might not be easy to implement.
--
Noel Jones
