Re: [Exim] A pattern of collateral spam

トップ ページ
このメッセージを削除
このメッセージに返信
著者: Jez Hancock
日付:  
To: Exim users list
題目: Re: [Exim] A pattern of collateral spam
On Mon, Aug 11, 2003 at 07:22:59PM +0100, Alan J. Flavell wrote:
>
> We're being pestered with a non-trivial number of rejection reports
> which amount to collateral spam.[1]

<snip>
I'm also having a fine time with just a single domain which I no longer
use much but still accept mail for a few local users on the domain. It
appears the domain has been used on a large scale in forged From:
headers and I'm now seeing a massive number of bounces from systems who
don't try too hard to check how reliable the mail they accept is - a
dozen or so bounces a minute.

I only realized this was 'collateral' spam when I started accepting a
few of the rejected mails (there are only 2 local_parts within the
domain that are accepted for delivery, the rest are bounced unroutable).
Initially I thought the domain was being targetted in some kind of
distributed dictionary attack, but on letting a few through I realized
they were just bounces from badly configured MTAs which didn't bother to
check the sender_host against any black lists or acls for blocking spam
outright or verifying the sender remotely before accepting.

Luckily I haven't had any complaints about the spam allegedly
originating from the domain as yet and I can deal with not having the
domain in operation should it be blacklisted (I'm thinking of dropping
the domain anyway tbh) - still it's annoying seeing so many rejected
mails hitting the server and consuming bandwidth in general.

As to what can be done I fear not a lot other than prepare for any
complaints that may arise because of it. At the end of the day the only
thing one might attempt to do would be to warn the admins of the MTAs
that are bouncing the mails that the mail didn't originate from your
server and perhaps advise them that they might want to verify the sender
address first before accepting mail in future - or perhaps use
blacklist acls to reject mail from bad sender_host addresses (as the
majority of the mail I let through appeared to be on one or more
blacklists).

Of course how well this advise would go down - not least because the
majority of MTAs appear to be in russia and I don't speak russian too
well! - is another question entirely.

Or... start a campaign:
Make sender verification mandatory for all mtas!!!

:)

--
Jez

http://www.munk.nu/