email account bombarded with SPAM error bounces - what to do?
in [Postfix]
|
From: Ram on 9 Jul 2010 08:40 On Fri, 2010-07-09 at 13:35 +0200, Administrator Beckspaced.com wrote: > > On 7/9/2010 13:27, Robert Schetterer wrote: > > Am 09.07.2010 12:51, schrieb Administrator Beckspaced.com: > >> hello robert, > >> > >> thanks a lot for your quick reply ... > >> actually it is not always the same IP or host sending the error bounces ... > >> the bounces are sent from hundred of different IP addresses ... > >> > >> any more idea? > >> Usually you can do very little to prevent forging your domain and sending spam. Some months ago one client of ours too had the same issue, but the issue is very temporary. The short term solution , as someone suggested, will be to temporarily defer all NDR's with a sender check regex file like /<>/ 450 Try Later ( The RFC's say you cant do this .. but sometimes you must be practical :-) ) >From my personal experience I found that if , for your regular mailing you use some sender authentication mechanism like SPF then these NDR's significantly reduce. For eg many servers reject forged messages based on SPF checks so you dont get NDR's from them at least. I guess , spammers ( the more intelligent ones ... I mean ) too would be less inclined to forge a domain that uses sender authentication Because that will reduce the deliverability of their spams Thanks Ram
From: "Administrator Beckspaced.com" on 9 Jul 2010 10:13 On 7/9/2010 14:40, Ram wrote: > On Fri, 2010-07-09 at 13:35 +0200, Administrator Beckspaced.com wrote: >> On 7/9/2010 13:27, Robert Schetterer wrote: >>> Am 09.07.2010 12:51, schrieb Administrator Beckspaced.com: >>>> hello robert, >>>> >>>> thanks a lot for your quick reply ... >>>> actually it is not always the same IP or host sending the error bounces ... >>>> the bounces are sent from hundred of different IP addresses ... >>>> >>>> any more idea? >>>> > Usually you can do very little to prevent forging your domain and > sending spam. > Some months ago one client of ours too had the same issue, but the issue > is very temporary. > The short term solution , as someone suggested, will be to temporarily > defer all NDR's with a sender check regex file like > /<>/ 450 Try Later > > > ( The RFC's say you cant do this .. but sometimes you must be > practical :-) ) > > > > > > From my personal experience I found that if , for your regular mailing > you use some sender authentication mechanism like SPF then these NDR's > significantly reduce. For eg many servers reject forged messages based > on SPF checks so you dont get NDR's from them at least. > > I guess , spammers ( the more intelligent ones ... I mean ) too would > be less inclined to forge a domain that uses sender authentication > Because that will reduce the deliverability of their spams > > Thanks > Ram > > > > > hello again robert & ram thanks again for your ideas ... so i had another search in google about that backscatter topic and sort of found a nice, simple & also quick solution? SAFE MODE with Postfix: Edit /etc/postfix/main.cf: smtpd_recipient_restrictions = .... check_sender_access dbm:/etc/postfix/check_backscatterer .... Create new file:/etc/postfix/check_backscatterer: <> reject_rbl_client ips.backscatterer.org postmaster reject_rbl_client ips.backscatterer.org well ... had to change the postfix dbm lookup to hash and do a postmap on the file ... but now this seems to work as it already rejected a few emails according to the mail log ... more info can be found here -> http://www.backscatterer.org does anyone have any experience with that list? is this a good longterm solution? best regards becki -- Beckspaced.com - WebDesign, Hosting& Solutions CEO Becki Beckmann Marienplatz 9 97353 Wiesentheid Germany Phone: 09383-425 P.O. Box 15 Thongsala 84280 Koh Phangan Suratthani / Thailand Phone: 077-377 733 Mobile: 087-2828826 ---------------------------------------------- Optimism is only a lack of information! ---------------------------------------------- WebDesign& Hosting - http://beckspaced.com - Are You Beckspaced? Phangan Independent News - http://kohphangannews.org - The Awful Truth!
From: Stan Hoeppner on 9 Jul 2010 10:24 Kammen van, Marco, Springer SBM NL put forth on 7/9/2010 6:00 AM: > Not sure if its related to your issue. > But there is a big spam/virus attack going on, where messages look like > NDR's but they aren't. > Various big anti spam vendors are having serious issues stopping this. Some of my trap addresses are being hit with this fake NDR spam but I've not seen it make it into any inboxen (yet). My A/S measures are strictly home grown stuff plus a couple of Spamhaus dnsbl checks. I guess I'm just lucky so far. (knocks on wood) -- Stan
From: Robert Schetterer on 9 Jul 2010 11:11 Am 09.07.2010 16:13, schrieb Administrator Beckspaced.com: > > > On 7/9/2010 14:40, Ram wrote: >> On Fri, 2010-07-09 at 13:35 +0200, Administrator Beckspaced.com wrote: >>> On 7/9/2010 13:27, Robert Schetterer wrote: >>>> Am 09.07.2010 12:51, schrieb Administrator Beckspaced.com: >>>>> hello robert, >>>>> >>>>> thanks a lot for your quick reply ... >>>>> actually it is not always the same IP or host sending the error >>>>> bounces ... >>>>> the bounces are sent from hundred of different IP addresses ... >>>>> >>>>> any more idea? >>>>> >> Usually you can do very little to prevent forging your domain and >> sending spam. >> Some months ago one client of ours too had the same issue, but the issue >> is very temporary. >> The short term solution , as someone suggested, will be to temporarily >> defer all NDR's with a sender check regex file like >> /<>/ 450 Try Later >> >> >> ( The RFC's say you cant do this .. but sometimes you must be >> practical :-) ) >> >> >> >> >> > From my personal experience I found that if , for your regular mailing >> you use some sender authentication mechanism like SPF then these NDR's >> significantly reduce. For eg many servers reject forged messages based >> on SPF checks so you dont get NDR's from them at least. >> >> I guess , spammers ( the more intelligent ones ... I mean ) too would >> be less inclined to forge a domain that uses sender authentication >> Because that will reduce the deliverability of their spams >> >> Thanks >> Ram >> >> >> >> >> > hello again robert & ram > > thanks again for your ideas ... > > so i had another search in google about that backscatter topic and sort > of found a nice, simple & also quick solution? > > SAFE MODE with Postfix: > > Edit /etc/postfix/main.cf: > smtpd_recipient_restrictions = > ... > check_sender_access dbm:/etc/postfix/check_backscatterer > ... > Create new file:/etc/postfix/check_backscatterer: > <> reject_rbl_client ips.backscatterer.org > postmaster reject_rbl_client ips.backscatterer.org > > well ... had to change the postfix dbm lookup to hash and do a postmap > on the file ... > but now this seems to work as it already rejected a few emails according > to the mail log ... > > more info can be found here -> > > http://www.backscatterer.org > > does anyone have any experience with that list? > is this a good longterm solution? > > best regards > becki > in your case it may be a short/quick/easy solution but dont use this rbl on long time it has nearly every big mailhost in it you will loose legitime bounces you may additional only use this rbl for your backscatterered reciept and not for your whole server -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
From: "Administrator Beckspaced.com" on 10 Jul 2010 08:15 On 7/9/2010 16:13, Administrator Beckspaced.com wrote: > > > On 7/9/2010 14:40, Ram wrote: >> On Fri, 2010-07-09 at 13:35 +0200, Administrator Beckspaced.com wrote: >>> On 7/9/2010 13:27, Robert Schetterer wrote: >>>> Am 09.07.2010 12:51, schrieb Administrator Beckspaced.com: >>>>> hello robert, >>>>> >>>>> thanks a lot for your quick reply ... >>>>> actually it is not always the same IP or host sending the error >>>>> bounces ... >>>>> the bounces are sent from hundred of different IP addresses ... >>>>> >>>>> any more idea? >>>>> >> Usually you can do very little to prevent forging your domain and >> sending spam. >> Some months ago one client of ours too had the same issue, but the issue >> is very temporary. >> The short term solution , as someone suggested, will be to temporarily >> defer all NDR's with a sender check regex file like >> /<>/ 450 Try Later >> >> >> ( The RFC's say you cant do this .. but sometimes you must be >> practical :-) ) >> >> >> >> >> > From my personal experience I found that if , for your regular mailing >> you use some sender authentication mechanism like SPF then these NDR's >> significantly reduce. For eg many servers reject forged messages based >> on SPF checks so you dont get NDR's from them at least. >> >> I guess , spammers ( the more intelligent ones ... I mean ) too would >> be less inclined to forge a domain that uses sender authentication >> Because that will reduce the deliverability of their spams >> >> Thanks >> Ram >> >> >> >> >> > hello again robert & ram > > thanks again for your ideas ... > > so i had another search in google about that backscatter topic and > sort of found a nice, simple & also quick solution? > > SAFE MODE with Postfix: > > Edit /etc/postfix/main.cf: > smtpd_recipient_restrictions = > ... > check_sender_access dbm:/etc/postfix/check_backscatterer > ... > Create new file:/etc/postfix/check_backscatterer: > <> reject_rbl_client ips.backscatterer.org > postmaster reject_rbl_client ips.backscatterer.org > > well ... had to change the postfix dbm lookup to hash and do a postmap > on the file ... > but now this seems to work as it already rejected a few emails > according to the mail log ... > > more info can be found here -> > > http://www.backscatterer.org > > does anyone have any experience with that list? > is this a good longterm solution? > > best regards > becki > hello again ram, robert & postfix users ;-) already posted yesterday about the backscatterer.org ... but was a bit too skeptical to do the check on ALL NDR's for ALL email accounts on my mail server ... so i had a look around to do the check ONLY for that specific email account. it's actually quite easy with smtpd_restriction_classes i thought i will write a short 'todo' as it might help some other mail server administrators out there ... who knows? so first thing is to setup a restriction class in main.cf -> smtpd_restriction_classes = reject_ndr_class reject_ndr_class = check_sender_access hash:/etc/postfix/backscatter_check now create the backscatter_check file in /etc/postfix/ touch /etc/postfix/backscatter_check and fill in this data <> reject_rbl_client ips.backscatterer.org postmaster reject_rbl_client ips.backscatterer.org MAILER-DAEMON reject_rbl_client ips.backscatterer.org do a postmap /etc/postfix/backscatter_check on that file to generate the ..db file next create a file called backscatter_recipient with touch /etc/postfix/backscatter_recipient fill in user(a)domain.com reject_ndr_class do a postmap /etc/postfix/backscatter_recipient which will generate the backscatter_recipient.db file then in main.cf under the smtpd_recipient_restrictions add the following line -> check_recipient_access hash:/etc/postfix/backscatter_recipient and then a postfix reload ... restart and all should be fine as only the email address listed in backscatter_recipient will be checked! also only if the sender address is empty <> postmaster or MAILER-DAEMON exactly how i wanted it ... well ... i'm aware that this is just a short and quick fix ... but so far it filtered out about 95% of those annoying error bounces ... and only for that email address as defined in backscatter_check ... all other mailbox won't get this check ... hopefully this might help someone looking for a quick fix for the error bounce emails ... but ... i will shortly look into BATV as it sounds like a better solution ;-) http://babel.de/art20080306a.html so ... thanks again for all your help & tips have a nice day & lots of fun greetings becki
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 4 Prev: Greylisting & SMTP auth Next: asking ARP for an internal IP 169.254.140.241 |