NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2006-07

Re: Tarpit "User unknown in local recipient table"?

From: Sandy Drobic (postfix-usersjapantest.homelinux.com)
Date: Sun Jul 02 2006 - 14:31:28 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Adhamh Findlay wrote:
> On Sun, 02 Jul 2006 14:06:26 +0200, mouss <usebsdfree.fr> wrote:
>>>
>> As sandy said, this is more probably a joe job attack. addresses from
>> your domains are used as sender in spam/virus/whatever mail, and the
>> recipient domain is misconfigured, and does backscatter. There are
>> unfortunately many broken sites.
>>
>> what you can do is add a trap address and make some or all of these
>> "unknown" addresses virtual aliases for this trap. Then look at the
>> mail to see if it is really backscatter. If so, report them to
>> spamcops. depending on the situation, you may also complain to the
>> abuse contact and to whois contacts of the misconfigured clients.
>
> I tired to do this with luser_relay, but I didn't get any of these
> messages delivered to the relay account. Did you have a different
> setup in mind?

Just have a look at the pattern of these spam mails and use a regexp alias
in virtual to rewrite such a pattern to a spamtrap address. For example, I
get a lot of attempts like this one:

44843d68.3030608example.com

In that case you can just add a fitting expression to rewrite such an
address to a spamtrap address.

/etc/postfix/main.cf:
virtual_alias_maps =
hash:/etc/postfix/virtual,
pcre:/etc/postfix/virtual.pcre

/etc/postfix/virtual.pcre:
/^[0-9a-e]+\.[0-9a-e]+example.com/ spamtrapexample.com

That is a pattern not used in any real addresses, so I would only catch
spam with such a pattern. Of course, I would have to add
"spamtrapexamplecom" to the list of valid addresses and have a mailbox
for the address.

> Is there anything besides my SPF record I can do to help prevent this
> joe job attach leading to my domain getting blacklisted?

I don't think it would help. If an admin is careless enough to have a
backscatter server, then he won't implement spf checks either. :-(

Your domain won't be blacklisted just because it is abused as a sender
adress by a spammer. Only some desperate admins of small sites would do that.

Sandy

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]