From: Sandy Drobic (no email)
Date: Sun Jul 02 2006 - 15:31:28 EDT
Adhamh Findlay wrote:
> On Sun, 02 Jul 2006 14:06:26 +0200, mouss <> wrote:
>>>
>> As sandy said, this is more probably a joe job attack. addresses from
>> your domains are used as sender in spam/virus/whatever mail, and the
>> recipient domain is misconfigured, and does backscatter. There are
>> unfortunately many broken sites.
>>
>> what you can do is add a trap address and make some or all of these
>> "unknown" addresses virtual aliases for this trap. Then look at the
>> mail to see if it is really backscatter. If so, report them to
>> spamcops. depending on the situation, you may also complain to the
>> abuse contact and to whois contacts of the misconfigured clients.
>
> I tired to do this with luser_relay, but I didn't get any of these
> messages delivered to the relay account. Did you have a different
> setup in mind?
Just have a look at the pattern of these spam mails and use a regexp alias
in virtual to rewrite such a pattern to a spamtrap address. For example, I
get a lot of attempts like this one:
In that case you can just add a fitting expression to rewrite such an
address to a spamtrap address.
/etc/postfix/main.cf:
virtual_alias_maps =
hash:/etc/postfix/virtual,
pcre:/etc/postfix/virtual.pcre
/etc/postfix/virtual.pcre:
/^[0-9a-e]+\.[0-9a-e]+@example.com/
That is a pattern not used in any real addresses, so I would only catch
spam with such a pattern. Of course, I would have to add
"spamtrap at examplecom" to the list of valid addresses and have a mailbox
for the address.
> Is there anything besides my SPF record I can do to help prevent this
> joe job attach leading to my domain getting blacklisted?
I don't think it would help. If an admin is careless enough to have a
backscatter server, then he won't implement spf checks either. :-(
Your domain won't be blacklisted just because it is abused as a sender
adress by a spammer. Only some desperate admins of small sites would do that.
Sandy
|
|
|