Postfix › Postfix Users

Selective Sender Address Verification

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

7 messages Options

Elijah Savage

Selective Sender Address Verification

I know this could add delay on a very busy system. But as of late I have
been battling backscatter to legitimate users on my system. 99% of it seems
to be originating from these domains,
Ru
Uk
Br
It

Has anyone used this as a method to fight backscatter?

I have read http://www.postfix.org/BACKSCATTER_README.html and have it
deployed just as an FYI.

It seems since Friday of last week I have seen a big increase of this.
--

Tandon, Sahil (IM)

RE: Selective Sender Address Verification

Elijah Savage:
> I know this could add delay on a very busy system. But as of
> late I have been battling backscatter to legitimate users on
> my system. 99% of it seems to be originating from these
> domains, Ru Uk Br It
>
> Has anyone used this as a method to fight backscatter?

Do you mean use SAV to fight backscatter? Wouldn't you just be creating
more backscatter? See:

http://www.backscatterer.org/?target=sendercallouts

--
Sahil Tandon
--------------------------------------------------------

NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.

Jan P. Kessler-2

Re: Selective Sender Address Verification

In reply to this post by Elijah Savage

Elijah Savage schrieb:

Maybe I got you wrong but afaik most backscatter arrives with the null
sender address <>.

How would you 'verify' these?

mouss-2

Re: Selective Sender Address Verification

In reply to this post by Elijah Savage

Elijah Savage wrote:

> I know this could add delay on a very busy system. But as of late I have
> been battling backscatter to legitimate users on my system. 99% of it seems
> to be originating from these domains,
> Ru
> Uk
> Br
> It
>
> Has anyone used this as a method to fight backscatter?
>
> I have read http://www.postfix.org/BACKSCATTER_README.html and have it
> deployed just as an FYI.
>
> It seems since Friday of last week I have seen a big increase of this.
>

SAV will not block backscatter. bounces generally come from valid addresses.

Things you can do
- Implement the recommendations described in BACKSCATTER README
- use spamassassin vbounce rules
- use the last amavsid-new anti backscatter features
- reject bounces from some places. you can use backscatterer.org DNSBL
(only for bounces. use check_sender_access to trigger the call).

- a "lose" heuristic consists of rejecting bounces if the PTR or helo
match a set of patterns:

(virus|scan|barra|cuda|filter|hole|fire|wall|fallback|bounce|junk|arrest|queue)
but I have no idea whether this would block "wanted" bounces.

if you still have problems, consider blocking bounces to victim
recipients during the backscatter storm.

Elijah Savage

Re: Selective Sender Address Verification

In reply to this post by Tandon, Sahil (IM)

> Do you mean use SAV to fight backscatter? Wouldn't you just be creating
> more backscatter? See:
>
> http://www.backscatterer.org/?target=sendercallouts
>
> --
> Sahil Tandon

Thank you for the read. I had considered this, not to mention a lot of
admins are turning off the vrfy because of this.

Backscatter is just becoming so annoying :)
--

Elijah Savage

Re: Selective Sender Address Verification

In reply to this post by mouss-2

> SAV will not block backscatter. bounces generally come from valid addresses.
>
> Things you can do
> - Implement the recommendations described in BACKSCATTER README
> - use spamassassin vbounce rules
> - use the last amavsid-new anti backscatter features
> - reject bounces from some places. you can use backscatterer.org DNSBL
> (only for bounces. use check_sender_access to trigger the call).
>
> - a "lose" heuristic consists of rejecting bounces if the PTR or helo
> match a set of patterns:
>
>

mouss-2

Re: Selective Sender Address Verification

Elijah Savage wrote:

>
>> SAV will not block backscatter. bounces generally come from valid addresses.
>>
>> Things you can do
>> - Implement the recommendations described in BACKSCATTER README
>> - use spamassassin vbounce rules
>> - use the last amavsid-new anti backscatter features
>> - reject bounces from some places. you can use backscatterer.org DNSBL
>> (only for bounces. use check_sender_access to trigger the call).
>>
>> - a "lose" heuristic consists of rejecting bounces if the PTR or helo
>> match a set of patterns:
>>
>>
>>
> (virus|scan|barra|cuda|filter|hole|fire|wall|fallback|bounce|junk|arrest|queue>
> )
>
>> but I have no idea whether this would block "wanted" bounces.
>>
>>
>> if you still have problems, consider blocking bounces to victim
>> recipients during the backscatter storm.
>>
>
> Thank you.
>
> I have the SA vbounce rules setup. I will look into backscatter.org.
>

note that it's backscatterer (with an additionnal "er" at the end). once
again, only use for bounces (null sender, and maybe also mailer-daemon@
as some funny sites use a non null address).