spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Mailserver Question

2005-01-05 10:53:58
from [administrator] [Permanent Link] 
At 08:06 PM 12/30/2004 -0500, Greg Connor <gconnor(_at_)nekodojo(_dot_)org> 
wrote:


Here is an idea that doesn't involve SPF, but might be helpful.  This is 
assuming that the mail is forged blowback and trying to come to your 
postmaster address.

1. All usernames except "postmaster" get "user unknown".
2. "postmaster" accepts mail, but not bounces.  (You may have to tweak the 
rule sets to reject mail from <> to postmaster).  This is legitimate since 
postmaster sends no mail out, so should not be receiving bounces.

If you do get any mail to postmaster@ and it isn't a bounce, scold the 
owner of the sending mail server.  They should not notify postmaster by 
machine, ever.  Postmaster should only be used by real people when 
something is wrong, not for ordinary can't-send or has-virus warnings.


Now.  It's possible to do something similar to this with SPF, but that's 
only useful if the mail coming TO you is also FROM you.  If the mail is 
from various mailservers, chances are that it's either addressed to you, 
but from someone else, or addressed to someone else and supposedly-from 
you, bouncing back to you, SPF doesn't help much.
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>

************* REPLY SEPARATER *************
Sorry for the lateness in the response, but I have been away for a few days.

Yes, I would classify the traffic as "forged blowback", and it roughly
accounts for more than 3/4 of our total incoming traffic. The MAIL FROM: is
<>, and the RCPT TO: is random userIDs @ our FQDN. If I configure Sendmail
to not accept the FQDN, Sendmail generates a "loops back to me" error in a
message addressed to the double-bounce default of <postmaster>. I tried to
configure Sendmail to forward mail addressed to the FQDN to a different
local account, but the bounces still get rejected with "USER UNKNOWN".
Because they are legitmate servers, I can't filter them out. The real
sources look like hijacked machines on high speed DSL or cable networks. I
have the SPF record for the FQDN set up to only accept mail from our
server, but of course none of these mail systems bouncing the forged mail
check for SPF records. I am afraid I don't know how (or if it is even
possible) to configure Sendmail to stop the flow of bounce messages to
essentially a non-existent domain, when it is the FQDN of the server.

J.A. Coutts
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: Mailserver Question, administrator <=
Previous by Date:  RE: Architectural issues with the SPF specification, Scott Kitterman
Next by Date:  Re: Architectural issues with the SPF specification, Leonard Mills
Previous by Thread:  [draft-schlitt-spf-classic] Small change in Received-SPF header, Stephane Bortzmeyer
Next by Thread:  Council: Management of the mailing lists, Julian Mehnle
Indexes:  [Date] [Thread] [Top] [All Lists]