procmail
[Top] [All Lists]

Re: Dealing with current backscatter spam

2008-10-17 15:39:06

On 15 Oct 2008, at 14:06, Michelle Konzack wrote:

Am 2008-10-14 10:47:11, schrieb Scott Edwards:

You use gsm/dialup to download mail from a server
connected to the internet with a better connection?  Is procmail the
only
solution you're using?

Not more since today...

The only advantage is, that my Web-Host is on the same server as the Cyrus IMAP, which mean, I can catch 1000 messages with a perl- script by downloading it into my webspace, taring it up and download it with SCP.

Otherwise I would not more be able to download the Mailfolders...

2200 legitim messages against 38.000 spams.

To day afternoon I have goten again over 30.000 unique backscatter.

You're threatening to DoS? It's apparent you're frustrated, and that's
understandable, but it doesn't justify retaliation.

HOW do you want to stop such things?

While I am writing this here, I prepare my "commercial" servers to stop the DoS'ing servers... I have 16 STM4 and 4 STM16 and many E2/3 which
should be enough...

Today, my GSM provider has desactivated my GSM card... No internet
access anymore...  I have top pay an Invoice of over 3000 Euro.

this email address you're receiving so much backscatter to? tbh, your
approach is very unprofessional.

The MAILER-DAEMON messages attaching always the original message after the MTA reports and there are spamers using my E-Mail to bomb over 2000
ISPs...  I get arround 30-100 messages from each targetet host back.

The spamers are targeting 90% in all cases russian domains where those
crapy MTAs are siting which can not detect the forged From:.

My backscatter spamcount is now arround 98.000 ~ 1.5 GByte of traffic
since Friday 2008-10-10.

Today I have gotten the hammer from rr.com/earthlink.net with over 800
backscatters.  If you find such things funny, please let me know.



Let me be _very_ clear about something: bouncing back spam/backscatter you receive is _not_ an acceptable solution. Let me tell you why: First, sending back the backscatter is basically just making a problem for another innocent person without solving your own. There is no way you will send the backscatter back to the spammer. Second, sending backscatter back is not going to motivate them to fix their problem, they are more likely to just block you. If you are sending it to big providers (and earthlink.net and rr.com most likely qualify), they will just block _you_ across all their servers. Third, sending back backscatter is eventually going to get _you_ put on spammer lists (ie. dnsbls/rbls), and then you will be blocked from even more providers, and it is almost impossible to get off. Fourth, sending back backscatter is going to cost you more bandwidth, and if option [1] was your problem, you're exacerbating it. Fifth, again, I want to reiterate: if you're sending back the backscatter, you're basically backscattering yourself, just intentionally. This makes you a part of the problem, not the solution.

So, now that we've made that clear, let's talk solutions.

My first question to you is: what exactly is your problem? I see two possibilities: [1] Is it that backscatter is DoSing your servers (consuming too bandwidth)? [2] Or is it that you simply can't sort all the mail you're getting and you're spending so long deleting the backscatter that you can't actually make use of your email?

If the problem is option [1], you _must_ implement the solutions I offer below at the gateway/MX server. Now, I don't know your setup, but it sounds like you have a provider accepting mail on your behalf, which you're then downloading via some device using your GSM card. If this is correct, you have to stop the mail from ever hitting your GSM card, or else you will consume bandwidth.

If the problem is option [2], then it would be _preferable_ to implement these solutions at the gateway/MX server; but you _may_ silently discard the mails once it hits the final destination.

However, what you're actually going to do is basically the same in both cases (and this goes towards what PSE and Charles made some inroads towards explaining). You want to take the backscatter that's bouncing in your direction, and look at it for evidence that you are not the original sender, and then you want to discard it.

Postfix has a pretty good Howto pointing out the different sorts of traits you want to look for, as have PSE and Charles. This question is addressed basically every day on the Postfix mailing list. You can find the Postfix Backscatter Howto here:
http://www.postfix.org/BACKSCATTER_README.html

Now, I understand you really want to fix this problem as soon as possible; but in order to do it, and do it well, the truth of the matter is that its not going to be a super quick fix. There is no single option in the configuration files to turn on. You need to understand what the document is explaining, and then use that to build your own solution after looking at your own server. You can't simply copy and paste parts of the document.

Now, one additional thing you _can optionally_ do, is use dnsbls to reject/discard mail coming from servers which have badly configured MTAs or are not following RFCs. For example, http://www.rfc-ignorant.org/ will help you with the latter.

Now, the difference in handling problem [1] and problem [2]: problem [1] necessitates that you fix this upstream; before the mail ever hits your GSM card. This means that you may have to ask your provider to do it. If your only problem is problem [2], you can discard the mail after it hits your server, either in your MTA or in SpamAssassin or in Procmail. Also note: you can only _reject_ mail from the gateway/MX mail servers, not from any server downstream (or else you will now be producing backscatter yourself against others). If you're filtering the mail downstream, your only option is to discard it, not reject it.

I understand how frustrating backscatter can be, all the more so because it's coming from people you can't always blacklist. Nonetheless, as the guys here and the doc writers on Postfix have shown, it _is_ possible to eliminate, or at least reduce, backscatter without wholesale blocking of all mail from certain netblocks.

I hope you find this helpful and I hope you find respite from your backscatter plague soon.

Cheers,
Neil.
____________________________________________________________
procmail mailing list   Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail