Dňa 11. júla 2024 20:01:17 UTC používateľ Jesse Hathaway via mailop <mailop@mailop.org> napísal:
>1. Why are the non-delivery notifications sent to > <postmas...@wikimedia.org> rather than to <w...@wikimedia.org>? NDR have to be send to Return-Path of original message, thus it depends what was in its MAIL FROM. IMO including foreign (google) IP range opens big hole in SPF. Do you see in bounces from what IP was original send? >2. Does the backscatter email show evidence of miss configuration on my > side? Backscatter is fault of NDR's sending MTA/MSA, which doesn't properly verifies Return-Path or accepts mails and then fails to delivery it (instead of rejecting at SMTP time). You didn't reveal sending host, but if it is not your host, it is not your mistake. You are just victim. >3. What mitigations do folks recommend to drop these types of messages? As i see, SPF nor DMARC is helping you, and they will not help, if remote MTA doesn't reject on that base. There are public RBLs which contains backscatter MTA, i don't use any, thus i cannot comment their quality. The BATV was inventend to solve that problem, you sign own Return-Path and then check this signature in bounces and reject when bounce (NDR) is send to unsigned RCPT as bounce to message not send by you.. But it was never standardised and is not always applicable (i use it). If you decide to apply it, do it in two stages, first start to sign Return-Path and then, after some days, start rejecting (to allow to receive bounces for yet unsigned messages). You can temporary reject unsigned bounces in between, but if you are under attack, it will do more harm than help. Don't afraid to apply ratelimit for bounces by recipient address. regards -- Slavko https://www.slavino.sk/ _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop