Joe Jobbed, etc.

Kevin Miller Kevin_Miller at CI.JUNEAU.AK.US
Wed Dec 21 23:16:54 GMT 2005


Michele Neylon:: Blacknight.ie wrote:
> Pete Russell wrote:
>> Wont milter-ahead deal with this by blocking those email during
>> handshaking for being incorrectly addressed? Only accept mail for
>> delivery that is accurately addressed?
>> 
> 
> That's what we do and it works very well.
> The bigger issue is when the return path is forged but is  to a valid
> user ...

Been sidetracked with other brushfires lately, but I'm still seeing a
lot of mail coming in for userXXXX at ci.juneau.ak.us where XXXX is a
random string of four characters (alpha).  I haven't implemented
milter-ahead yet - it looks like they're now charging for it and I'd
like test it out on a non-production server before I shell out the $.  I
downloaded an earlier version a couple weeks ago but he's since updated
libsnert (which isn't downloadable) and isn't backwards compatible
apparently.  Long story short, milter-ahead looks like a science project
for another day.

I'm not sure if I'm the victim of a joe job, or reverse NDR, but in
thinking about it, milter-ahead won't solve the greater problem anyway.
Right now, my Exchange box is replying to the NDRs.  Milter-ahead would
just cause my MS gateway to do that instead.  I think the better thing
to do is to accept the mail and deep six it.  What I'd like to do is put
an entry in spam.blacklist.rules and send it to the spam bucket.  Right
now, low scoring spam is sent to a phony user
(Alphonse_Spamdog at mydomain) on one of my gateways, and a MailWatch
quarantine on the others.  So, if I put a line like this:

To:	my_user[some regular expression here]@ci.juneau.ak.us
yes

in there, then any phony bounces or reverse NDR attack messages would
land harmlessly in the dustbin, so to speak.  I wouldn't be resending
them and they wouldn't clutter up my postmaster inbox.

Anybody see any problems with that, and what would the regex be?  Mail
to My_User at mydomain needs to get through as normal, it's just mail to
My_UserXXXX at mydomain that I want to tag as spam.  (Unless of course, the
mail for the real address is spam.)  I've tried to figure out the regex
expression myself, but I haven't played with them before, and can't be
dumping legitimate email along w/the bad.  So how do I filter on a
specific user with four random letters?  Would
my_user[a-z][a-z][a-z][a-z]@mydomain do the trick but not hit
my_user at mydomain?

Thanks much.

...Kevin
-- 
Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Admin., Mail Admin.
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list