Re: Backscatter

Sat, 04 Apr 2009 15:03:05 -0700 

Paweł Leśniak wrote:

W dniu 2009-04-04 20:09, LuKreme pisze:
I've seen an increase in backscatter emails recently. Perfectly valid headers (AFAICT) 

Return-Path: <>

...

Not surprising, since the message is sent by a real MTA.




Is there some sort of strategy I can implement that will reject a good 
portion of these kinds of messages? What are other people doing to 
deal with backscatter? I read up on SRS, but it doesn't sound like a 
great idea.



I'd recommend using rbl checks specified for this:
backscatter.map:

<> reject_rbl_client ips.backscatterer.org, reject_rbl_client 
bl.spamcannibal.org



Good suggestion.  This will reject bounces from known 
backscatter sources.



postmaster reject_rbl_client ips.backscatterer.org, reject_rbl_client 
bl.spamcannibal.org
MAILER-DAEMON reject_rbl_client ips.backscatterer.org, reject_rbl_client 
bl.spamcannibal.org



These two will never match anything.  With a little adjustment 
they *might* be useful in a PCRE map.




Add
check_sender_access hash:/etc/postfix/backscatter.map

at the very last of RBLs in smtpd_recipient_restrictions (or other 
restrisctions if you prefer). For sure you should also read info on 
those blacklists.



Best in smtpd_data_restrictions so you don't reject 
sourceforge and others sender verification probes.




IP you've provided as source of backscatter is listed in backscatterer.org.


Moreover, SPF won't help you much, because other mailserver admins would 
have to check it, and it's rarely supported.



True.  It "seems" that sites with SPF are less frequently 
chosen as joe-job victims, but there's no guarantee.  At any 
rate, adding SPF shouldn't hurt anything.


Other suggestions...


Add the header_checks suggested in 
http://www.postfix.org/BACKSCATTER_README.html

Note the examples will need to be "customized" for your site.

If you're using SpamAssassin, the VBOUNCE rules are helpful.


If you're using amavisd-new, it has some bounce-killer 
features that might help.  Check amavisd-new release notes for 
details.  IIRC this is part of the "penpals" feature of 
amavisd-new.



If you're using clamav, the Sanesecurity addon signatures kill 
some common backscatter.



If all else fails and your system is drowning, it might not be 
unreasonable to TEMPORARILY reject all mail from the null 
sender.  This is a last resort measure and will reject legit mail.


  -- Noel Jones























					Reply via email to