> The term coined for this type of mail is "backscatter".
> 
> There is no easy solution for this.  The backscatter article on
> postfix.org, for example, caused our mail servers to start rejecting
> mail that was generated from PHP scripts and CGIs on our own systems,
> which makes no sense.  The article:
> 
> http://www.postfix.org/BACKSCATTER_README.html
> 
> If the backscatter is all directed to a single Email address (rather
> than a series of addresses, e.g. [EMAIL PROTECTED], and
> you have [EMAIL PROTECTED] accepted), then a solution is to reject
> mail with an RCPT TO of an account or virtual address that does not
> exist on your machine.
> 
> This, of course, has a wonderful side effect: spammers now have a way to
> detect what Email addresses on your box legitimately accept mail, thus
> once they find one which never gets a bounceback, will start pounding
> that address to kingdom come.
> 
> Let me know if you do find a reliable, decent solution that does not
> involve SPF or postfix header_checks or body_checks.
> 

The following doesn't fix the problem but it does help mitigate the deluge.  We 
use a PERL script to tail our maillogs looking for any source IP that tries to 
send mail to more than 4 invalid addresses.  When flagged, that IP is then 
added to a PF table that blocks the address and issues RST's for 12 hours.  Of 
course, we also have a whitelist for "valid" SMTP servers.  Like I said, it 
doesn't catch it all, but it catches *a lot* and generates almost no 
complaints.  This does help obfuscate the valid/invalid addresses because all 
mail is accepted as far as the sender is concerned until the IP is blocked at 
the network layer.  

The usual complaint is from an remote office that has 12 real estate agents 
behind a single IP, all with Outlook set to check mail "sooner than now."  :-)

Mike

Attachment: PGP.sig
Description: PGP signature

Reply via email to