- Previous message: Matt Fretwell: "Re: Configuring Received: headers for outbound mail"
- Maybe in reply to: Bobby: "Re[2]: Blocking mail from=<>"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
|
|
|
From: Noel Jones (no email)
Date: Tue Mar 01 2005 - 13:50:05 EST
At 12:31 PM 3/1/2005, Bobby wrote:
>Dear All,
>
>
>thanks to all of you for your answers. Well, the problem is serious, and
>it is a problem. I say that, because it is spam again, using the RFC.
>
>
>So, let's say we do not want to stop mail from <> to our own users. That
>will cause a large amount of viruses and other spam reaching them.
You can always reject or discard viruses and spam according to local
policy, no matter what the sender address. But don't reject mail just
because it uses the null sender address, that would be very wrong. The
null sender address is not a fool-proof indicator of spam.
>But, there is also another problem - relaying. I am sure there is a way to
>stop it. And I am also sure you can help about that. Maybe this could be
>the first step of making just a little better configuration :)
>
>
>Here is an example of a relay-abusing mail from <>:
>
more comments below...
>postfix/qmgr[777]: 1BA0874C2BB: from=<>, size=6707, nrcpt=1 (queue active)
>
>postfix/smtp[16307]: warning: no MX host for cyberinbox.com has a valid A
>record
>
>postfix/smtp[16307]: 1BA0874C2BB: to=<>,
>relay=none, delay=0, status=bounced ([dev.null]: Name or service not known)
>
>postfix/qmgr[777]: 1BA0874C2BB: removed
>
>
>Well:
>
>;; QUESTION SECTION:
>
>;cyberinbox.com. IN MX
>
>
>;; ANSWER SECTION:
>
>cyberinbox.com. 928 IN MX 0 dev.null.
>
>
>;; AUTHORITY SECTION:
>
>cyberinbox.com. 170117 IN NS ns2.adrress.com.
>
>cyberinbox.com. 170117 IN NS ns1.adrress.com.
You have accepted mail and then later bounced it. YOU are generating the
<> sender address. Either you accepted mail for an invalid user or you
have a content filter (or downstream mail server) that is rejecting the mail.
Don't do that. Once you accept a spam mail, you must either tag+deliver
or discard. Sending a bounce is not an acceptable option any more.
>postfix/qmgr[777]: 6DF1674C2BE: from=<>, size=4048, nrcpt=1 (queue active)
>
>postfix/smtp[16322]: connect to mail.cgocable.com[24.226.1.11]: Connection
>timed out (port 25)
>
>postfix/smtp[16322]: 6DF1674C2BE: to=<>,
>relay=none, delay=220013, status=deferred (connect to
>mail.cgocable.com[24.226.1.11]: Connection timed out)
>
Same thing with this one. YOU are sending a bounce.
>And just for today I have 148 mails with from=<>. I am sure these are not
>bounces :)
>
>So, how about that?! Well, it does produce a lot of garbage and relays
>spam to some MTA on the net.
>
>I am quite sure my server won't get listed as an open relay for that. But
>at least I don't want to fill up my bandwidth with this garbage.
>
>All mail to unknown recepients in my domain gets rejected. Let us reject
>mail from <> to other users also.
Are you sure you're rejecting mail to unknown users? are you sure you
don't have a content filter or downstream mail server rejecting mail you
have already accepted? I think you should check again.
Check your logs for where these bounces are originating.
-- Noel Jones
|
|
|