[nflug] Forged mail header bounces up exponentially

Erek Dyskant erek at blumenthals.com
Tue Apr 29 12:47:14 EDT 2008 

Darin,
	Thanks!  Sadly I have to be more permissive with mail, as I'm an ISP
and users would rather have their mail.  I've got way too much volume
and frankly too little time allowance/customer to help every sender fix
their bad DNS.
	I do reject when the forward DNS doesn't match the reverse, but I
maintain a whitelist when customers complain (and will sometimes send an
email off to their IT department).  I also reject when the spamassasin
score is astronomical (sender present in many DNS blacklists, contains
blacklisted URLs, or matches many content rules).  Starting soon I'm
going to do spam preprocessing before mail hits the servers, mainly
implementing the same rules but to shift the CPU load off my primary
boxes.
	It's interesting that you're an IT consumer who hosts your own mail.
That's becoming a bit of an exception these days, although it sounds
like you've got a lot of technical backing and a desire to control your
own destiny mail-wise.

Cheers,
Erek


On Tue, 2008-04-29 at 09:46 -0400, Darin Perusich wrote:
> This is a good place to start though the document is a few years old.
> http://www.postfix.org/BACKSCATTER_README.html
> 
> On my internet MX servers the Postfix UCE policy I've configured is very 
> restrictive, basically is the connecting host isn't following the RFC's 
> I reject email. Because I'm not an ISP I'm allowed to be more 
> restrictive with what I allow in and I also have the backing of 
> management on this policy which is vitally important. In instances when 
> mail is being bounced from a legitimate sender we work with the senders 
> IT staff to "fix their problem", and it's always their problem! Usually 
> the problem is improperly configured DNS entries.
> 
> Some of the Postfix main.cf values I've set. If you want further 
> information on the various values drop them into the search engine at 
> http://www.postfix.org.
> 
> smtpd_sender_restrictions = hash:/etc/postfix/access, 
> reject_unknown_sender_domain
> smtpd_client_restrictions = permit_mynetworks, reject_unknown_client
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname
> strict_rfc821_envelopes = yes
> smtpd_recipient_restrictions =
>          reject_non_fqdn_sender,
>          reject_non_fqdn_recipient,
>          reject_unknown_sender_domain,
>          reject_unknown_recipient_domain,
>          permit_mynetworks,
>          reject_unauth_destination,
>          reject_unauth_pipelining,
>          reject_invalid_hostname,
>          reject_non_fqdn_hostname,
>          reject_rbl_client       sbl-xbl.spamhaus.org
>          reject_rbl_client       list.dsbl.org
>          permit
> 
> Cyber Source wrote:
> > We use postfix, but how does this stop that behavior?
> > 
> > Darin Perusich wrote:
> >> I'd call that an ongoing issue ;-).
> >>
> >> What MTA are you using? If you're using Postfix I can share the 
> >> main.conf for my MX servers and internal relay servers.
> >>
> >> Erek Dyskant wrote:
> >>> Howdy All,
> >>>     A whole lot of our customers are having their email addresses 
> >>> forged to
> >>> be used as from addresses in spam attacks.  As a result, we're getting
> >>> hammered with a truly amazing number of bounce messages.
> >>>     I've always seen this happen once a month or every other month, but
> >>> now I'm seeing it maybe once a day for a different customer.
> >>>     Are any of the mail admins here on the list experiencing similar
> >>> problems over the last few weeks, and if so, how are you addressing
> >>> them?
> >>
> > _______________________________________________
> > nflug mailing list
> > nflug at nflug.org
> > http://www.nflug.org/mailman/listinfo/nflug
>

More information about the nflug mailing list