Le 13/07/2011 19:04, motty.cruz a écrit :
> Hi All, can anyone advise on how to effectively fight backscatter email.
> Below a typical header of the tons of backscatter email users get a day
>
> Return-Path: <MAILER-DAEMON>
> X-Original-To: u...@domain.tld
> Delivered-To: u...@domain.tld
> Received: from host.domain.tld (unknown [xxx.xxx.xxx.xx])
> by mail.domain.tld (Postfix) with ESMTP id 3A23B8A037;
> Wed, 13 Jul 2011 07:13:39 -0700 (PDT)
> Received: from host.domain.tld (localhost [127.0.0.1])
> by host.domain.tld (Postfix) with ESMTP id ED8D5958D5
> for <u...@domain.tld>; Wed, 13 Jul 2011 07:13:46 -0700 (PDT)
> X-Virus-Scanned: amavisd-new at domain.tld
> X-Spam-Flag: NO
> X-Spam-Score: 4.137
> X-Spam-Level: ****
> X-Spam-Status: No, score=4.137 tagged_above=-999 required=6.31
> tests=[BAYES_50=1.8, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001,
> URIBL_BLACK=1.725, URIBL_PH_SURBL=0.61] autolearn=no
> Received: from host.domain.tld ([127.0.0.1])
> by host.domain.tld (host.domain.tld [127.0.0.1]) (amavisd-new, port
> 10024)
> with ESMTP id 72CZSuHVXXm4 for <u...@domain.tld>;
> Wed, 13 Jul 2011 07:13:41 -0700 (PDT)
> Received: from ucmx01.uzuncase.com (66-193-162-90.static.twtelecom.net
> [66.193.162.90])
> by host.domain.tld (Postfix) with ESMTP id AF131958C7
> for <u...@domain.tld>; Wed, 13 Jul 2011 07:13:41 -0700 (PDT)
> Received: from ucmail.UZUN_CASE_NT.COM ([192.168.13.6])
> by ucmx01.uzuncase.com (8.13.8/8.13.8) with ESMTP id p6DEDcKT009597
> for <u...@domain.tld>; Wed, 13 Jul 2011 10:13:38 -0400
> Received: from ucmail.UZUN_CASE_NT.COM ([192.168.13.5]
> helo=ucmail.UZUN_CASE_NT.COM)
> by ASSP.nospam; 13 Jul 2011 10:13:38 -0400
> From: postmas...@uzuncase.com
> To: u...@domain.tld
> Date: Wed, 13 Jul 2011 10:13:48 -0400
> MIME-Version: 1.0
> Content-Type: multipart/report; report-type=delivery-status;
> boundary="9B095B5ADSN=_01CC411EFEA41132000001C0ucmail.UZUN_CASE"
> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
> Message-ID: yA67JYZWL0000000a@ucmail.UZUN_CASE_NT.COM
> Subject: Delivery Status Notification (Failure)
> X-Assp-Re-Red: Content-Type: multipart/report
>
you might start with
/^(\d+\W){4}.*\.twtelecom\.net$/
REJECT generic hostname. please use your ISP or fix your DNS.
you can do a lot of other things, but the body of the backscatter is
probably the first thing to look at. unfortunately, you omitted it...
> I know this is Postfix list but here is my Amavisd-new
I confirm. amavisd-new and spamassassin are off topic here. so I'm not
gonna debate why you changed the threshold from 5 to 6.31 on this list.
we can talk about this on the SA users list.
> $sa_tag_level_deflt = -999; # add spam info headers if at, or above that
> level
that's 3 halves of the devil number:) use
$sa_tag_level_deflt = undef;
> $sa_tag2_level_deflt = 6.11; # add 'spam detected' headers at that level
> $sa_kill_level_deflt = 6.31; # triggers spam evasive actions (e.g. blocks
> mail)
> $sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
>
> $sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid
> From
>
> Any suggestions are welcome, thanks in Advance.
> -Motty
>
