--- Harman Nagra <[EMAIL PROTECTED]> wrote: > Sure, different ways you could do it. However, you > are going against the RFC > (http://www.faqs.org/rfcs/rfc821.html). In other > words, you will be > "breaking" the NDR's. > > Dont look at dropping the NDR's but look at what > these NDR's are, why are > you getting so many of them?
most are invalid users, looks like bounces and the invalid user is a rcpt. > > Have you set your domain to "bounce" messages for > non-exsitant users? This > way chkuser can do its job properly. > yes. > NDR's are the by products of SMTP, and spammers are > now using them as the > last resort to deliver spam in form of NDR's. > So I've noticed. > > > Well you have a serious problem there, agreed. But > again look at the > connections, look at the logs, what and where are > these connections from? The majority were from RIPE and APNIC. As I put blocks in place in the tcp.smtp and also runing iptables so I put in place acls to DROP the connection for the ip blocks. As I continue to watch this, I've noticed they moved to LACNIC and certain IPs that are in north america (inclding canada). I've blocked some others by adding in tcp.smtp entries with a bounce message to email me at an external address "if this is in error". A great deal came from within road runner and.. earthlink. So I blocked these servers for a period of time until it calmed down and they moved off. yes, I've already notified both providers, but I believe that its due to the botnets. > Null sender is your least of worries. You sure you > havent opened up your server for relay? I checked that once I set up the server. It was tested and passed as NOT an open relay. > > What's in /home/vpopmail/etc/tcp.smtp? tons of things... here is a sample: 127.:allow,RELAYCLIENT="" :allow,QMAILQUEUE="/var/qmail/bin/simscan" 195.:allow,RBLSMTPD="-Connections from this IP have been banned If this is en error, please send an email to [ external address at yahoo.com ]" .ch:allow,RBLSMTPD="-Connections from this IP have been banned If this is en error, please send an email to [ external address at yahoo.com ]" I'm using IPtables for blocks of IPs, example: -A RH-Firewall-1-INPUT -s 150.1.0.0/16 -m state --state NEW -m tcp -p tcp --dport ! 80 -j DROP -A RH-Firewall-1-INPUT -s 150.2.0.0/15 -m state --state NEW -m tcp -p tcp --dport ! 80 -j DROP This drops connections before tcp.smtp and can log them as well. In the samples, I do not show the LOGging. I am using the tcp.smtp for those ips and addresses that possibly could be reopened and the iptables acl for those I knw I permantly do not want. thanks for the reply. Nitch. > > HTH > Harman > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
