I'm running a system with about 300 users. I run pflogsumm every night to
generate mail log stats. The bounce detail lists 300 - 400 servers rejecting
mail because the user is unknown. The vast majority of servers has 1 or 2
such rejections. This puzzles me. My users can't possibly be sending out
that many mis-typed addresses.
Upon further investigation, I have found that what is happening is that this
is essentially backscatter from forwarded spam. When one of my users sets up
a forward or if we configure an alias for them, spam is just sent off to
their new address. If the server at the new address rejects it as spam, as
it should, my mta tries to bounce it back to the original recipient which,
of course, is made up.
Get it? Somebody tries to spam [EMAIL PROTECTED] and user12 has his mail
forwarded to his gmail account. Gmail detects the spam, rejects the message
and my mta then generates a bounce back to the original forged from address.
I don't see anything in the backscatter howto about this. I believe my
machine is properly configured to not generate normal (for lack of a better
term) backscatter. I mean, it doesn't bounce incoming spam. But this is
almost like spam coming from inside my own system.
- mail aliases & spam John Heim
-
