Re: how to stop backscatter without check headers

Fri, 11 Jun 2010 11:19:56 -0700 

On 06/11/2010 08:00 PM, motty.cruz wrote:



*From:* owner-postfix-us...@postfix.org 
[mailto:owner-postfix-us...@postfix.org] *On Behalf Of *Jeroen Geilman

*Sent:* Friday, June 11, 2010 10:32 AM
*To:* postfix-users@postfix.org
*Subject:* Re: how to stop backscatter without check headers

On 06/11/2010 04:40 PM, motty.cruz wrote:


*From:* owner-postfix-us...@postfix.org 
<mailto:owner-postfix-us...@postfix.org> 
[mailto:owner-postfix-us...@postfix.org] *On Behalf Of *Jeroen Geilman

*Sent:* Thursday, June 10, 2010 4:02 PM
*To:* postfix-users@postfix.org <mailto:postfix-users@postfix.org>
*Subject:* Re: how to stop backscatter without check headers

On 06/11/2010 12:44 AM, motty.cruz wrote:


Is there a best way to stop backscatter spam without using check 
headers? Traffic is too heavy to user check headers + we received 
email for three different domains.


Using postfix 2.6.

Thanks,

motty


To stop backscatter spam, don't accept mail you cannot deliver.

That is a very smart answer, please pardon my stupidity.


Header_checks are trivially spoofed.

J.



Spammers spoof the "from" and gets redirected to "user" in my domain? 
How do you fight that?



I don't understand what you mean.

I'm sorry for not being specific,


If spammers spoof the envelope sender, header_checks will not help you.


I know header_checks won't work that's the reason I posted this 
questions. I have done read 
http://www.postfix.org/BACKSCATTER_README.html but eaither i did not 
fully understood its contents or did not help me with me issue.




If spammers spoof the sender header, well, postfix doesn't look at 
From: headers.

J.

Here is my postconf --n am I missing something?

host# postconf -n

alias_database = hash:/usr/local/etc/postfix/aliases

alternate_config_directories = /usr/local/etc/postfix-out

anvil_rate_time_unit = 2s

biff = no

command_directory = /usr/local/sbin

config_directory = /usr/local/etc/postfix

content_filter = smtp-amavis:[127.0.0.1]:10024

daemon_directory = /usr/local/libexec/postfix

data_directory = /var/db/postfix

debug_peer_level = 2

disable_vrfy_command = yes

html_directory = no

in_flow_delay = 1s


local_recipient_maps = hash:/usr/local/etc/postfix/userdb, 
hash:/usr/local/etc/postfix/uservirt


mail_owner = postfix

mailq_path = /usr/local/bin/mailq

manpage_directory = /usr/local/man

message_size_limit = 50000000

mydestination = foo1.com, foo2.com, foo3.com

myhostname = host.foo1.com

mynetworks = 127.0.0.0/8, 192.168.1.1/32

myorigin = foo1.com

newaliases_path = /usr/local/bin/newaliases

queue_directory = /var/spool/postfix

readme_directory = no

relay_domains = hash:/usr/local/etc/postfix/relay_domains

sample_directory = /usr/local/etc/postfix

sendmail_path = /usr/local/sbin/sendmail

setgid_group = maildrop

smtpd_banner = host.foo1.com

smtpd_error_sleep_time = 0

smtpd_helo_required = yes


smtpd_helo_restrictions = permit_mynetworks,     
reject_non_fqdn_hostname,     reject_invalid_hostname



smtpd_recipient_restrictions = permit_mynetworks,     
reject_unauth_destination,    reject_invalid_hostname,    
reject_non_fqdn_hostname,    reject_non_fqdn_sender,    
reject_non_fqdn_recipient,    reject_unknown_sender_domain,    
reject_unknown_recipient_domain,    reject_unknown_helo_hostname


smtpd_sender_restrictions = hash:/usr/local/etc/postfix/access

unknown_address_reject_code = 554

unknown_client_reject_code = 554

unknown_hostname_reject_code = 554

unknown_local_recipient_reject_code = 550

unverified_recipient_reject_code = 550

unverified_sender_reject_code = 550

header of spoof sender

Return-Path: <u...@foo1.com>


Received: from [89.216.172.32] (cable-89-216-172-32.dynamic.sbb.rs 
[89.216.172.32])


            by host.foo.com (Postfix) with ESMTP id B009FB8AF

            for <u...@foo.com>; Fri, 28 May 2010 11:40:31 -0700 (PDT)

From: GenuineViagraOnline dealer <u...@foo.com>

To: u...@foo.com

Subject: Prices go down for user_lastname! 75% off. Sites and and

Date: Fri, 28 May 2010 20:40:43 +0200

MIME-Version: 1.0

Content-Type: text/html; charset="ISO-8859-1"

Content-Transfer-Encoding: 8bit




A combination of a good RBL such as zen.spamhaus.org and a content 
scanner such as amavisd-new and/or spamassassin usually catches most of 
these.


Header spoofing is not preventable - such is the life of the mail admin.

J.


Any suggestions, advice welcome,

-motty

From: Mail Delivery Subsystem [mailto:mailer-dae...@smtp.newsguy.com]

Sent: Thursday, June 10, 2010 1:28 AM

To: u...@obscure.com <mailto:u...@obscure.com>

Subject: Returned mail: see transcript for details


The original message was received at Thu, 10 Jun 2010 01:28:19 -0700 
(PDT) from [124.217.198.141]



   ----- The following addresses had permanent fatal errors ----- 
<eri...@newsguy.com> <mailto:eri...@newsguy.com>


    (reason: Can't create output)


   ----- Transcript of session follows ----- 550 5.0.0 
<eri...@newsguy.com> <mailto:eri...@newsguy.com>... Can't create output


























					Reply via email to