[nflug] Forged mail header bounces up exponentially

Darin Perusich Darin.Perusich at cognigencorp.com
Tue Apr 29 09:46:22 EDT 2008 

This is a good place to start though the document is a few years old.
http://www.postfix.org/BACKSCATTER_README.html

On my internet MX servers the Postfix UCE policy I've configured is very 
restrictive, basically is the connecting host isn't following the RFC's 
I reject email. Because I'm not an ISP I'm allowed to be more 
restrictive with what I allow in and I also have the backing of 
management on this policy which is vitally important. In instances when 
mail is being bounced from a legitimate sender we work with the senders 
IT staff to "fix their problem", and it's always their problem! Usually 
the problem is improperly configured DNS entries.

Some of the Postfix main.cf values I've set. If you want further 
information on the various values drop them into the search engine at 
http://www.postfix.org.

smtpd_sender_restrictions = hash:/etc/postfix/access, 
reject_unknown_sender_domain
smtpd_client_restrictions = permit_mynetworks, reject_unknown_client
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname
strict_rfc821_envelopes = yes
smtpd_recipient_restrictions =
         reject_non_fqdn_sender,
         reject_non_fqdn_recipient,
         reject_unknown_sender_domain,
         reject_unknown_recipient_domain,
         permit_mynetworks,
         reject_unauth_destination,
         reject_unauth_pipelining,
         reject_invalid_hostname,
         reject_non_fqdn_hostname,
         reject_rbl_client       sbl-xbl.spamhaus.org
         reject_rbl_client       list.dsbl.org
         permit

Cyber Source wrote:
> We use postfix, but how does this stop that behavior?
> 
> Darin Perusich wrote:
>> I'd call that an ongoing issue ;-).
>>
>> What MTA are you using? If you're using Postfix I can share the 
>> main.conf for my MX servers and internal relay servers.
>>
>> Erek Dyskant wrote:
>>> Howdy All,
>>>     A whole lot of our customers are having their email addresses 
>>> forged to
>>> be used as from addresses in spam attacks.  As a result, we're getting
>>> hammered with a truly amazing number of bounce messages.
>>>     I've always seen this happen once a month or every other month, but
>>> now I'm seeing it maybe once a day for a different customer.
>>>     Are any of the mail admins here on the list experiencing similar
>>> problems over the last few weeks, and if so, how are you addressing
>>> them?
>>
> _______________________________________________
> nflug mailing list
> nflug at nflug.org
> http://www.nflug.org/mailman/listinfo/nflug

-- 
Darin Perusich
Unix Systems Administrator
Cognigen Corporation
395 Youngs Rd.
Williamsville, NY 14221
Phone: 716-633-3463
Email: darinper at cognigencorp.com

More information about the nflug mailing list