Re: [exim] Seeking advice how to deal with spam faked to app…

Pàgina inicial
Delete this message
Reply to this message
Autor: ams
Data:  
A: Ian FREISLICH
CC: Exim users list
Assumptes vells: Re: [exim] Seeking advice how to deal with spam faked to appear as coming from my domain
Assumpte: Re: [exim] Seeking advice how to deal with spam faked to appear ascoming from my domain
Many thanks, I'll make use of it.

-a
-- 
Aaron Stromas          |     "Tik-tik-tik!!!... ja, Pantani is weg..."
mailto:ams@izoard.com  |                          BRTN commentator
+1 (301) 493 4933      |                          L'Alpe d'Huez
http://www.izoard.com  |                          1995 Tour de France




> "Alan J. Flavell" wrote:
>> On Mon, 14 Nov 2005, Cliff Pratt wrote:
>>
>> > On 11/14/05, Aaron Stromas <ams@???> wrote:
>> >
>> > > Some S.O.B. is sending spam faking the sender to be from my domain,
>> > > izoard.com <http://izoard.com>, so the postmaster get all that mail
>> > > bounced by spam filters
>> > > (see below). Is there anything I can do about it?
>> [...]
>>
>> > No, there is nothing that you can really do about it.
>>
>> I don't know about that. If I was on the receiving end of such stuff,
>> and there wasn't *too* much of it, I think I would configure our
>> spamassassin to rate the rejection reports as spam and reject them.
>>
>> If the situation was too bad for that (as it has sometimes been for
>> antivirus rejection reports when the virus was faking our domain as
>> sender) then I'd blacklist the envelope sender address of the reports,
>> to avoid putting too much load on our spamassassin.
>
> Well, the times that this has happened to me or at least the times
> that I've noticed, It would have been far too expensive to run the
> mail through SpamAssassin. I've seen millions of bounces over a
> day or two.
>
> This little ACL snippet helped:
>
> acl_smtp_rcpt:
>     deny    message    = This domain is Joe Job victim
>         senders    = :
>         condition = ${if < {eval:$tod_epoch - \
>                 ${lookup{$domain} \
>                     lsearch{<config path>/domains.joe-jobbed} \
>                     {$value}{0}}} \
>                 {eval:3 * 86400} {yes}{no}}

>
> This just blocks DSNs to the particular domain for 3 days. I know
> that's not always ideal, but in this situation it's the smaller of
> two evils. The timeout is beacause I normally forget to remove the
> block.
>
> It doesn't stop incoming DSNs from even more badly configured that
> send DSNs with a non null reverse path.
>
> Ian
>
> --
> Ian Freislich
>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
>