Selective Sender Address Verification

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Selective Sender Address Verification

Elijah Savage
I know this could add delay on a very busy system. But as of late I have
been battling backscatter to legitimate users on my system. 99% of it seems
to be originating from these domains,
Ru
Uk
Br
It

Has anyone used this as a method to fight backscatter?

I have read http://www.postfix.org/BACKSCATTER_README.html and have it
deployed just as an FYI.

It seems since Friday of last week I have seen a big increase of this.
--



Reply | Threaded
Open this post in threaded view
|

RE: Selective Sender Address Verification

Tandon, Sahil (IM)
Elijah Savage:
> I know this could add delay on a very busy system. But as of
> late I have been battling backscatter to legitimate users on
> my system. 99% of it seems to be originating from these
> domains, Ru Uk Br It
>
> Has anyone used this as a method to fight backscatter?

Do you mean use SAV to fight backscatter?  Wouldn't you just be creating
more backscatter?  See:

        http://www.backscatterer.org/?target=sendercallouts

--
Sahil Tandon
--------------------------------------------------------

NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.
Reply | Threaded
Open this post in threaded view
|

Re: Selective Sender Address Verification

Jan P. Kessler-2
In reply to this post by Elijah Savage
Elijah Savage schrieb:

> I know this could add delay on a very busy system. But as of late I have
> been battling backscatter to legitimate users on my system. 99% of it seems
> to be originating from these domains,
> Ru
> Uk
> Br
> It
>
> Has anyone used this as a method to fight backscatter?
>  

Maybe I got you wrong but afaik most backscatter arrives with the null
sender address <>.

How would you 'verify' these?

Reply | Threaded
Open this post in threaded view
|

Re: Selective Sender Address Verification

mouss-2
In reply to this post by Elijah Savage
Elijah Savage wrote:

> I know this could add delay on a very busy system. But as of late I have
> been battling backscatter to legitimate users on my system. 99% of it seems
> to be originating from these domains,
> Ru
> Uk
> Br
> It
>
> Has anyone used this as a method to fight backscatter?
>
> I have read http://www.postfix.org/BACKSCATTER_README.html and have it
> deployed just as an FYI.
>
> It seems since Friday of last week I have seen a big increase of this.
>  

SAV will not block backscatter. bounces generally come from valid addresses.

Things you can do
- Implement the recommendations described in BACKSCATTER README
- use spamassassin vbounce rules
- use the last amavsid-new anti backscatter features
- reject bounces from some places. you can use backscatterer.org DNSBL
(only for bounces. use check_sender_access to trigger the call).

- a "lose" heuristic consists of rejecting bounces if the PTR or helo
match a set of patterns:
   
(virus|scan|barra|cuda|filter|hole|fire|wall|fallback|bounce|junk|arrest|queue)
but I have no idea whether this would block "wanted" bounces.


if you still have problems, consider blocking bounces to victim
recipients during the backscatter storm.

Reply | Threaded
Open this post in threaded view
|

Re: Selective Sender Address Verification

Elijah Savage
In reply to this post by Tandon, Sahil (IM)


> Do you mean use SAV to fight backscatter?  Wouldn't you just be creating
> more backscatter?  See:
>
> http://www.backscatterer.org/?target=sendercallouts
>
> --
> Sahil Tandon

Thank you for the read. I had considered this, not to mention a lot of
admins are turning off the vrfy because of this.

Backscatter is just becoming so annoying :)
--


Reply | Threaded
Open this post in threaded view
|

Re: Selective Sender Address Verification

Elijah Savage
In reply to this post by mouss-2


> SAV will not block backscatter. bounces generally come from valid addresses.
>
> Things you can do
> - Implement the recommendations described in BACKSCATTER README
> - use spamassassin vbounce rules
> - use the last amavsid-new anti backscatter features
> - reject bounces from some places. you can use backscatterer.org DNSBL
> (only for bounces. use check_sender_access to trigger the call).
>
> - a "lose" heuristic consists of rejecting bounces if the PTR or helo
> match a set of patterns:
>    
>
(virus|scan|barra|cuda|filter|hole|fire|wall|fallback|bounce|junk|arrest|queue>
)
> but I have no idea whether this would block "wanted" bounces.
>
>
> if you still have problems, consider blocking bounces to victim
> recipients during the backscatter storm.

Thank you.

I have the SA vbounce rules setup. I will look into backscatter.org.
--



Reply | Threaded
Open this post in threaded view
|

Re: Selective Sender Address Verification

mouss-2
Elijah Savage wrote:

>  
>> SAV will not block backscatter. bounces generally come from valid addresses.
>>
>> Things you can do
>> - Implement the recommendations described in BACKSCATTER README
>> - use spamassassin vbounce rules
>> - use the last amavsid-new anti backscatter features
>> - reject bounces from some places. you can use backscatterer.org DNSBL
>> (only for bounces. use check_sender_access to trigger the call).
>>
>> - a "lose" heuristic consists of rejecting bounces if the PTR or helo
>> match a set of patterns:
>>    
>>
>>    
> (virus|scan|barra|cuda|filter|hole|fire|wall|fallback|bounce|junk|arrest|queue>
> )
>  
>> but I have no idea whether this would block "wanted" bounces.
>>
>>
>> if you still have problems, consider blocking bounces to victim
>> recipients during the backscatter storm.
>>    
>
> Thank you.
>
> I have the SA vbounce rules setup. I will look into backscatter.org.
>  

note that it's backscatterer (with an additionnal "er" at the end). once
again, only use for bounces (null sender, and maybe also mailer-daemon@  
as some funny sites use a non null address).