suppress NDRs from spoofed sender
in [Postfix]
|
From: Ansgar Wiechers on 15 Feb 2010 03:23 On 2010-02-14 David Koski wrote: > On Tuesday 19 January 2010, Ansgar Wiechers wrote: >> On 2010-01-18 David Koski wrote: >>> My mail server has been getting a fair amount of spam hits that have >>> been rejected but the sender address is spoofed with the recipient's >>> address. This generates an NDR to the recipient with the spam. I >>> would like to suppress NDRs of this kind but not legitimate NDRs. >> >> What I'm doing is this: >> >> - store a hash of From:, To: and Date: header of all outgoing mail >> - accept all bounces that include From:, To: and Date: headers whose >> hash matches a stored hash >> - remove stored hashes older than 4 days >> >> This method does lead to rejection of valid bounces that don't include >> the above mentioned headers. However, I consider those bounces useless >> anyway. > > How about something more simple: test for From: is the same as To: and > is from MAILER-DAEMON: > > grep "^From:.*<david(a)kosmosisland.com>" "$test" \ > && grep "Return-Path:.*<MAILER-DAEMON>" "$test" \ > && grep "^To:.*<david(a)kosmosisland.com>" "$test" > > ..where "$test" is the email file to scan. You (your users) might lose valid bounces that way. > But can this be done with Postfix? Not with Postfix itself, but it's doable with a proxy_filter and probably also with a policy daemon. I'd recommend against implementing it, though, because of the abovementioned reason. Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky
From: wolfgang on 15 Feb 2010 03:41 Hi, In an older episode (Monday, 15. February 2010), David Koski wrote: > grep "^From:.*<david(a)kosmosisland.com>" "$test" \ > && grep "Return-Path:.*<MAILER-DAEMON>" "$test" \ the "Return-Path" of an NDR is *not* .*MAILER-DAEMON.* - it is "<>". "mailer-daemon" would be in the From-Header of the NDR Regards, wolfgang
From: David Koski on 15 Feb 2010 11:35 On Monday 15 February 2010, wolfgang wrote: > Hi, > > In an older episode (Monday, 15. February 2010), David Koski wrote: > > grep "^From:.*<david(a)kosmosisland.com>" "$test" \ > > && grep "Return-Path:.*<MAILER-DAEMON>" "$test" \ > > the "Return-Path" of an NDR is *not* .*MAILER-DAEMON.* - it is "<>". > > "mailer-daemon" would be in the From-Header of the NDR > > Regards, > > wolfgang That is correct. It is the NDR that I want to stop because it has a spoofed sender address. Regards, David Koski david(a)kosmosisland.com
From: David Koski on 20 Feb 2010 02:39 On Monday 15 February 2010, Ansgar Wiechers wrote: > On 2010-02-14 David Koski wrote: > > On Tuesday 19 January 2010, Ansgar Wiechers wrote: > >> On 2010-01-18 David Koski wrote: > >>> My mail server has been getting a fair amount of spam hits that have > >>> been rejected but the sender address is spoofed with the recipient's > >>> address. This generates an NDR to the recipient with the spam. I > >>> would like to suppress NDRs of this kind but not legitimate NDRs. > >> > >> What I'm doing is this: > >> > >> - store a hash of From:, To: and Date: header of all outgoing mail > >> - accept all bounces that include From:, To: and Date: headers whose > >> hash matches a stored hash > >> - remove stored hashes older than 4 days > >> > >> This method does lead to rejection of valid bounces that don't include > >> the above mentioned headers. However, I consider those bounces useless > >> anyway. > > > > How about something more simple: test for From: is the same as To: and > > is from MAILER-DAEMON: > > > > grep "^From:.*<david(a)kosmosisland.com>" "$test" \ > > && grep "Return-Path:.*<MAILER-DAEMON>" "$test" \ > > && grep "^To:.*<david(a)kosmosisland.com>" "$test" > > > > ..where "$test" is the email file to scan. > > You (your users) might lose valid bounces that way. I would only loose bounces that were from and to me, right? That is no big deal. Regards, David Koski david(a)kosmosisland.com > > But can this be done with Postfix? > > Not with Postfix itself, but it's doable with a proxy_filter and > probably also with a policy daemon. I'd recommend against implementing > it, though, because of the abovementioned reason. > > Regards > Ansgar Wiechers
From: "daniel.richards on 20 Feb 2010 03:46 On Fri, 2010-02-19 at 23:39 -0800, David Koski wrote: > On Monday 15 February 2010, Ansgar Wiechers wrote: > > On 2010-02-14 David Koski wrote: > > > On Tuesday 19 January 2010, Ansgar Wiechers wrote: > > >> On 2010-01-18 David Koski wrote: > > >>> My mail server has been getting a fair amount of spam hits that have > > >>> been rejected but the sender address is spoofed with the recipient's > > >>> address. This generates an NDR to the recipient with the spam. I > > >>> would like to suppress NDRs of this kind but not legitimate NDRs. > > >> > > >> What I'm doing is this: > > >> > > >> - store a hash of From:, To: and Date: header of all outgoing mail > > >> - accept all bounces that include From:, To: and Date: headers whose > > >> hash matches a stored hash > > >> - remove stored hashes older than 4 days > > >> > > >> This method does lead to rejection of valid bounces that don't include > > >> the above mentioned headers. However, I consider those bounces useless > > >> anyway. > > > > > > How about something more simple: test for From: is the same as To: and > > > is from MAILER-DAEMON: > > > > > > grep "^From:.*<david(a)kosmosisland.com>" "$test" \ > > > && grep "Return-Path:.*<MAILER-DAEMON>" "$test" \ > > > && grep "^To:.*<david(a)kosmosisland.com>" "$test" > > > > > > ..where "$test" is the email file to scan. > > > > You (your users) might lose valid bounces that way. > > I would only loose bounces that were from and to me, right? That is no big > deal. > > Regards, > David Koski > david(a)kosmosisland.com > > > > But can this be done with Postfix? > > > > Not with Postfix itself, but it's doable with a proxy_filter and > > probably also with a policy daemon. I'd recommend against implementing > > it, though, because of the abovementioned reason. > > > > Regards > > Ansgar Wiechers > > Is there a policy daemon for Postfix that will plug something like this in? http://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation That is sign it on the way out, verify it on the way back?
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 Prev: The method behind the madness Next: Error: timeout exceeded (in reply to end of DATA command) |