On Mon, 2007-04-09 at 07:18 -0700, J. wrote: > --- ram <[EMAIL PROTECTED]> wrote: > > > On Sun, 2007-04-08 at 11:14 -0700, J. wrote: > > > Not sure if this is connected to my agressive smtp connection > > rejection > > > campaign over the past week, but we've been hit for the first time > > in > > > many months with a backscatter spam attack. Spammer(s) use random > > > addresses with our domain for their spamming so we get the flood > > > (13000+ since midnight) of bounces. > > > > > > Is there a good way to deal with this? 70-80% are getting caught by > > > spamassassin, but there are still thousands that get through and I > > have > > > to filter manually (maildrop). Also, I hate the servers that just > > keep > > > the subject line intact when they bounce a message because I can't > > > figure out how to filter those. As it is I'm already filtering over > > 30 > > > different subject line types to catch different types of bounces. > > And > > > how to I find the legitimate bounces in that haystack? It's a lot > > of > > > fun! > > > > > > Thanks. > > > > 1) Verify recipient addresses > > 2) Add SPF records for your domain. And blacklist those servers who > > accept forged mails from your domain and bounce them > > 3) If you are suddenly facing a flush of Mailer-"Demons" give a > > TEMPFAIL > > for <> , not a great idea but sometimes you have to do this to save > > your mail server :-) > > Thanks Ram. Not sure how to implement recipient verification with my > setup, but I'll look into it. I have an SPF record for my domain > installed afaik and I'm using the plugin for spamassassin that scores > non-spf emails. When these types of attacks happen we get about 15,000 > bounces per day so I don't know how to blacklist every server that > sends bounces without looking at the ip address of every email.
No your bounces will notbe nonspf mails. They wil be from <> which you must accept. Adding SPF checks allows servers not to accept forged messages from your domain, if they still do and the plan to send you NDR's IMHO you have every right to blacklist them ( YMMV ) Blacklisting usually is best done at the firewall, a 10 liner perlscript will give you all ips , simply drop packets at your firewall for such ips and keep refreshing the lists Recipient address verification is an *Absolute must*. If you dont do that you will get your own server into trouble and get them listed in all RBLs Just like you are cursing mailservers that are flooding you with backscatter your server too may be generating backscatter for others. Dont be a part of the problem please Thanks Ram