Re: [exim] Seeking advice how to deal with spam faked to app…

Góra strony
Delete this message
Reply to this message
Autor: Ian FREISLICH
Data:  
Dla: Exim users list
Nowe tematy: Re: [exim] Seeking advice how to deal with spam faked to appear ascoming from my domain
Temat: Re: [exim] Seeking advice how to deal with spam faked to appear as coming from my domain
"Alan J. Flavell" wrote:
> On Mon, 14 Nov 2005, Cliff Pratt wrote:
>
> > On 11/14/05, Aaron Stromas <ams@???> wrote:
> >
> > > Some S.O.B. is sending spam faking the sender to be from my domain,
> > > izoard.com <http://izoard.com>, so the postmaster get all that mail
> > > bounced by spam filters
> > > (see below). Is there anything I can do about it?
> [...]
>
> > No, there is nothing that you can really do about it.
>
> I don't know about that. If I was on the receiving end of such stuff,
> and there wasn't *too* much of it, I think I would configure our
> spamassassin to rate the rejection reports as spam and reject them.
>
> If the situation was too bad for that (as it has sometimes been for
> antivirus rejection reports when the virus was faking our domain as
> sender) then I'd blacklist the envelope sender address of the reports,
> to avoid putting too much load on our spamassassin.


Well, the times that this has happened to me or at least the times
that I've noticed, It would have been far too expensive to run the
mail through SpamAssassin. I've seen millions of bounces over a
day or two.

This little ACL snippet helped:

acl_smtp_rcpt:
    deny    message    = This domain is Joe Job victim
        senders    = :
        condition = ${if < {eval:$tod_epoch - \
                ${lookup{$domain} \
                    lsearch{<config path>/domains.joe-jobbed} \
                    {$value}{0}}} \
                {eval:3 * 86400} {yes}{no}}


This just blocks DSNs to the particular domain for 3 days. I know
that's not always ideal, but in this situation it's the smaller of
two evils. The timeout is beacause I normally forget to remove the
block.

It doesn't stop incoming DSNs from even more badly configured that
send DSNs with a non null reverse path.

Ian

--
Ian Freislich