suppress NDRs from spoofed sender

Prev: The method behind the madness
Next: Error: timeout exceeded (in reply to end of DATA command)

From: David Koski on 19 Jan 2010 00:47

---

My mail server has been getting a fair amount of spam hits that have been
rejected but the sender address is spoofed with the recipient's address.
This generates an NDR to the recipient with the spam. I would like to
suppress NDRs of this kind but not legitimate NDRs.

Regards,
David Koski
david(a)kosmosisland.com

From: Ansgar Wiechers on 19 Jan 2010 03:52

---

On 2010-01-18 David Koski wrote:
> My mail server has been getting a fair amount of spam hits that have
> been rejected but the sender address is spoofed with the recipient's
> address. This generates an NDR to the recipient with the spam. I
> would like to suppress NDRs of this kind but not legitimate NDRs.

What I'm doing is this:

- store a hash of From:, To: and Date: header of all outgoing mail
- accept all bounces that include From:, To: and Date: headers whose
hash matches a stored hash
- remove stored hashes older than 4 days

This method does lead to rejection of valid bounces that don't include
the above mentioned headers. However, I consider those bounces useless
anyway.

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

From: Noel Jones on 19 Jan 2010 10:33

---

On 1/18/2010 11:47 PM, David Koski wrote:
> My mail server has been getting a fair amount of spam hits that have been
> rejected but the sender address is spoofed with the recipient's address.
> This generates an NDR to the recipient with the spam. I would like to
> suppress NDRs of this kind but not legitimate NDRs.
>
> Regards,
> David Koski
> david(a)kosmosisland.com

Maybe this will help:
http://www.postfix.org/BACKSCATTER_README.html

-- Noel Jones

From: David Koski on 14 Feb 2010 22:19

---

On Tuesday 19 January 2010, Ansgar Wiechers wrote:
> On 2010-01-18 David Koski wrote:
> > My mail server has been getting a fair amount of spam hits that have
> > been rejected but the sender address is spoofed with the recipient's
> > address. This generates an NDR to the recipient with the spam. I
> > would like to suppress NDRs of this kind but not legitimate NDRs.
>
> What I'm doing is this:
>
> - store a hash of From:, To: and Date: header of all outgoing mail
> - accept all bounces that include From:, To: and Date: headers whose
> hash matches a stored hash
> - remove stored hashes older than 4 days
>
> This method does lead to rejection of valid bounces that don't include
> the above mentioned headers. However, I consider those bounces useless
> anyway.

How about something more simple: test for From: is the same as To: and is from
MAILER-DAEMON:

grep "^From:.*<david(a)kosmosisland.com>" "$test" \
&& grep "Return-Path:.*<MAILER-DAEMON>" "$test" \
&& grep "^To:.*<david(a)kosmosisland.com>" "$test"

...where "$test" is the email file to scan. But can this be done with Postfix?

Regards,
David Koski
david(a)kosmosisland.com

From: "Jonathan Tripathy" on 15 Feb 2010 03:19

---

So I'm very new to postfix, however I have a feeling that the Regex stuff can be done via some scripts. I guess that how the Python SPF checkers work...

But as I said, I'm new to postfix so I could be way off target

-----Original Message-----
From: owner-postfix-users(a)postfix.org on behalf of David Koski
Sent: Mon 2/15/2010 03:19
To: postfix-users(a)postfix.org
Subject: Re: suppress NDRs from spoofed sender

On Tuesday 19 January 2010, Ansgar Wiechers wrote:
> On 2010-01-18 David Koski wrote:
> > My mail server has been getting a fair amount of spam hits that have
> > been rejected but the sender address is spoofed with the recipient's
> > address. This generates an NDR to the recipient with the spam. I
> > would like to suppress NDRs of this kind but not legitimate NDRs.
>
> What I'm doing is this:
>
> - store a hash of From:, To: and Date: header of all outgoing mail
> - accept all bounces that include From:, To: and Date: headers whose
> hash matches a stored hash
> - remove stored hashes older than 4 days
>
> This method does lead to rejection of valid bounces that don't include
> the above mentioned headers. However, I consider those bounces useless
> anyway.

How about something more simple: test for From: is the same as To: and is from
MAILER-DAEMON:

grep "^From:.*<david(a)kosmosisland.com>" "$test" \
&& grep "Return-Path:.*<MAILER-DAEMON>" "$test" \
&& grep "^To:.*<david(a)kosmosisland.com>" "$test"

...where "$test" is the email file to scan. But can this be done with Postfix?

Regards,
David Koski
david(a)kosmosisland.com

 |  Next  |  Last
Pages: 1 2 3
Prev: The method behind the madness
Next: Error: timeout exceeded (in reply to end of DATA command)