--- ram <[EMAIL PROTECTED]> wrote:
> On Mon, 2007-04-09 at 07:18 -0700, J. wrote:
> > --- ram <[EMAIL PROTECTED]> wrote:
> >
> > > On Sun, 2007-04-08 at 11:14 -0700, J. wrote:
> > > > Not sure if this is connected to my agressive smtp connection
> > > rejection
> > > > campaign over the past week, but we've been hit for the first
> time
> > > in
> > > > many months with a backscatter spam attack. Spammer(s) use
> random
> > > > addresses with our domain for their spamming so we get the
> flood
> > > > (13000+ since midnight) of bounces.
> > > >
> > > > Is there a good way to deal with this? 70-80% are getting
> caught by
> > > > spamassassin, but there are still thousands that get through
> and I
> > > have
> > > > to filter manually (maildrop). Also, I hate the servers that
> just
> > > keep
> > > > the subject line intact when they bounce a message because I
> can't
> > > > figure out how to filter those. As it is I'm already filtering
> over
> > > 30
> > > > different subject line types to catch different types of
> bounces.
> > > And
> > > > how to I find the legitimate bounces in that haystack? It's a
> lot
> > > of
> > > > fun!
> > > >
> > > > Thanks.
> > >
> > > 1) Verify recipient addresses
> > > 2) Add SPF records for your domain. And blacklist those servers
> who
> > > accept forged mails from your domain and bounce them
> > > 3) If you are suddenly facing a flush of Mailer-"Demons" give a
> > > TEMPFAIL
> > > for <> , not a great idea but sometimes you have to do this to
> save
> > > your mail server :-)
> >
> > Thanks Ram. Not sure how to implement recipient verification with
> my
> > setup, but I'll look into it. I have an SPF record for my domain
> > installed afaik and I'm using the plugin for spamassassin that
> scores
> > non-spf emails. When these types of attacks happen we get about
> 15,000
> > bounces per day so I don't know how to blacklist every server that
> > sends bounces without looking at the ip address of every email.
>
>
> No your bounces will notbe nonspf mails. They wil be from <> which
> you
> must accept. Adding SPF checks allows servers not to accept forged
> messages from your domain, if they still do and the plan to send you
> NDR's IMHO you have every right to blacklist them ( YMMV )
>
>
> Blacklisting usually is best done at the firewall, a 10 liner
> perlscript
> will give you all ips , simply drop packets at your firewall for such
> ips and keep refreshing the lists
>
> Recipient address verification is an *Absolute must*. If you dont do
> that you will get your own server into trouble and get them listed in
> all RBLs Just like you are cursing mailservers that are flooding you
> with backscatter your server too may be generating backscatter for
> others. Dont be a part of the problem please
We're using the version of qmail smtp that does rbl checking so
hopefully one of those recipient checking patches will work. I didn't
realize that most people are denying smtp connections for bad
addresses. That's great that this is possible. So most of the people on
this list reject connections that are for bad addresses? That's great.
I think that would cut down the spam we get by 90%. I had no idea this
was possible.
____________________________________________________________________________________
Now that's room service! Choose from over 150,000 hotels
in 45,000 destinations on Yahoo! Travel to find your fit.
http://farechase.yahoo.com/promo-generic-14795097
