OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Backscatter being generated from mail aliased to other servers.

From: Jaroslaw Grzabel (jarekmeil.me)
Date: Mon Nov 16 2009 - 15:04:53 CST

Jim Lang pisze:
> John Peach wrote:
>> On Mon, 16 Nov 2009 13:07:05 -0700
>> Jim Lang <postfixguscreek.com> wrote:
>>
>>
>>> John Peach wrote:
>>>
>>>> On Mon, 16 Nov 2009 13:00:26 -0700
>>>> Jim Lang <postfixguscreek.com> wrote:
>>>>
>>>>
>>>>> Wietse Venema wrote:
>>>>>
>>>>>> Jim Lang:
>>>>>>
>>>>>>> OK here is the scenario.
>>>>>>> Spammer sends mail to: usermyclientsdomain.com from forged
>>>>>>> address victimrandomdomain.com
>>>>>>>
>>>>>>> If usermyclientsdomain.com is delivered locally, not a problem,
>>>>>>> if the address is invalid, postix rejects the mail during the
>>>>>>> smtp connection.
>>>>>>>
>>>>>>> But if usermyclientsdomain.com is an alias to
>>>>>>> myclientotherserver.com, postfix accepts the mail as deliverable
>>>>>>> and forwards it to hotmail.com.
>>>>>>> But if myclientotherserver.com can for whatever reason not be
>>>>>>> delivered, otherserver.com does what it is supposed to do and
>>>>>>> rejects the mail during the smtp connection, which causes postfix
>>>>>>> to send out a non-delivery report to victimrandomdomain.com --
>>>>>>> backscatter.
>>>>>>>
>>>>>>> Is there a way to stop this?
>>>>>> Yes. Don't forward SPAM.
>>>>>>
>>>>>> Wietse
>>>>>>
>>>>> And how do I do that in this scenario?
>>>>>
>>>> You use recipient verification.
>>>>
>>>>
>>> I must have been really inarticulate when I wrote out the scenario.
>>> I do use recipient verification on my server. How is it that that is
>>> not clear? Do I need to rewrite this post?
>>>
>>>
>> Clearly, you are *NOT* doing recipient verification, or
>> myotherserver.com would not be rejecting it. Never accept mail which
>> cannot be delivered.
>>
>
>
> Except no 'myotherserver.com' appeared in my scenario, nimrod.
>
> otherserver.com in the scenario is a server not under my control.
>
> unsubcribing to this useless list
But server which is out of your control should not accept messages for
example to non-existant user. So if you're doing verification even when
spammer connects to your server should recieve an ansewer from REMOTE
SERVER "user not known" or something similar. I've got similar situation
as I had to smart host for a lot of domains and connection, but let's
say I know people on that remote site, or even if not I've got any
contact details like email addres so simply... I'm trying to explain
people that if they will not protect the end server I will block them in
the smart host as I can't take a risk of block. So generally you should
use reject_unverified_recipient and additionally you can build a
database... you can limit connections, check RBLs, CBLs, there is really
a lot of things but first of all you would need to check which hosts on
the other end couses a problem and find out what you can do more to
prevent spam coming through.
I know that it's impossible to block all SPAM without being too harsh,
but there is always something what you can do to prevent it.

Regards,
Jarek