|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Stopping backscatter with a magic cookie ?
From: Adam Harrison (adam
antispin.org)
Date: Thu Jul 22 2004 - 09:08:26 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi All,
I run postfix on a small domain and I'm having a problem with backscatter
email to real recipient addresses. I already block backscatter to invalid
addresses and spamassasin takes care of 99% of the spam, and my last
remaining problem is bounces from MTA's and virus scanners where the spammer
has forged a real recipient from my domain (even though I publish an SPF
record).
I've read the documentation at http://www.postfix.org/BACKSCATTER_README.html,
but unfortunately the spammers aren't competent enough to consistently forge
a HELO or Message-Id as outlined in the howto (In fact, they mostly just HELO
with their own IP and don't bother to include a Message-Id at all). This
prevents me from positively identifying bogus bounces with a single match
statement.
I started reading the header_checks(5) manpage and when I came across the 'if'
statement capability I thought that since most of these mails (even the ones
from virus scanners) contain the original header in the body, I can do a body
check like this:
if/^From.*antispin.org/
!/^Message-Id:.*antispin.org/ REJECT original message source is a forgery
endif
the idea being that if the original message header purports to be From: an
antispin.org address but doesn't include a Message-Id: generated by my
system then it would get rejected. My next thought was that this wouldn't
stop people forging the Message-Id: correctly, so why not use a 'magic
cookie':
Get postfix to add an 'X-From-Magic-Cookie: abracdabra' to all outgoing email,
then
if/^From.*antispin.org/
!/^X-From-Magic-Cookie: abracadabra$/ REJECT original message source is a
forgery
endif
Unfortunately I then read through the BUGS section and found this: "Many
people overlook the main limitations of header and body_checks rules.
These rules operate on one logical message header or one body line at a
time..."
So, my question to the list therefore is, does anyone know a way of doing
this, preferably without modifying postfix? If we can find a way I will
submit a patch to the backscatter howto for inclusion on the website.
Many Thanks,
Adam.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]