On 4/9/2013 9:38 PM, Alex wrote: > Hi all, > > I've had a few users lately complain about possible backscatter. I > found Justin's blog post from way back in 2007 about VBounce. It's > always been enabled, but I didn't realize it needed a special > config file variable to be set in order to be utilized properly. > His article is here: > > http://taint.org/2007/05/30/164456a.html > > Anyway, I notice several rules from 20_vbounce.cf > <http://20_vbounce.cf> have been triggered, despite not having set > whitelist_bounce_relays properly yet. To set this variable up > properly, would I just include the hosts listed in the SPF record > for the domain?
That seems to work for me. > We have two specific hosts for outbound mail, but they are not the > MXs. I was concerned about legitimate third-party mail sent on > behalf of our domain being blocked because it wasn't listed in > whitelist_bounce_relays. > > He's also made several recommendations for postfix header checks, > but they seem to match every MAILER-DAEMON message I've received, > not just those that are backscatter. If you're in the middle of a backscatter storm, it's not unreasonable to reject all MAILER-DAEMON messages as an emergency measure. But rejecting all bounces is not a good idea for normal operations. Some header_checks that should be suitable for long-term use are described in: http://www.postfix.org/BACKSCATTER_README.html -- Noel Jones
