Wednesday 10 May 2006 19:23 skrev Daniel:
> I have two mail servers. The primary is here in our office, the
> secondary in our NOC just in case our primary pipe goes down. The
> thing is, even if the primary is up and working, the secondary server
> gets an awful lot of mail -- nearly all of it spam as best I can tell.
> Most of it, if it's to an existing user, is accepted because we don't
> have any anti-spam stuff installed yet, but it's the following log
> entries that have me concerned.
>
> Below you'll find what appears to be an attempt by someone in russia
> pretending to be from someone else in russia sending stuff to users
> that don't exist in our system. The secondary server appears to be
> bouncing these mails back to the fake sender -- obviously something
> Bad, but I'm not sure how to stop it as it all looks legit.
> Suggestions?
Spammers routinely target secondary mail exchangers for precisely this
reason - often the secondaries have worse or no spam protection or will
accept anything dropped on them and then bounce undeliverable mail to the
purported sender.
You really should perform at least some basic checks before accepting:
* Suspect HELO greetings ("localhost", "friend", the name of your server,
etc.):
deny condition = ${if match {${lc:$sender_helo_name}} \
{^(friend|localhost|$primary_hostname|$interface_address)\$}}
* Some good DNSBLs:
deny message = Client host [$sender_host_address] is listed in \
$dnslist_domain ($dnslist_text)
dnslists = list.dsbl.org : sbl-xbl.spamhaus.org : dnsbl.njabl.org
* Check that at least the sender domain exists:
require verify = sender/defer_ok
Then do callouts to verify the recipient:
require verify = recipient/callout=10s,defer_ok
defer_ok ensures that mail will be accepted when the primary really *is* down.
You can probably figure out where and in which order to place these statements
yourself.
--
Magnus Holmgren
holmgren@???