Handling spam in DSNs from other sites?
Steve Freegard
smf at f2s.com
Wed Jun 7 08:33:34 IST 2006
Hi Trever,
Furnish, Trever G wrote:
>
>
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info
>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf
>> Of Glenn Steen
>> Sent: Tuesday, June 06, 2006 6:02 PM
>> To: MailScanner discussion
>> Subject: Re: Handling spam in DSNs from other sites?
>>
>> On 06/06/06, Furnish, Trever G <TGFurnish at herffjones.com> wrote:
>>> I have a feeling I'm missing an obvious answer, but what
>> does everyone
>>> suggest for handling DSNs from other sites (not mine) that include
>>> spam in the message?
>
>> Glenn Steen wrote:
>> I'm sure others have other views, but ... why treat them any
>> different than any other mail? scan them, tag them, drop them....:-).
>> If they are legitimate, they will pass MS/SA/AVs anyway.
>> --
>> -- Glenn
>> email: glenn < dot > steen < at > gmail < dot > com
>> work: glenn < dot > steen < at > ap1 < dot > se
>
> Thanks. However, in many cases these are actually getting through.
> Since the ip address of the sending server isn't the spammer and isn't
> in the RBLs those checks aren't as helpful as they would've been for the
> original message.
>
> I tend to think these aren't being sent by a spammer who's identified a
> particular server with the specific intention of using the DSN for
> delivery, but rather just by a worm that's using my domain addresses as
> the faked sender address. If a specific server had been targeted, it'd
> probably end up in a DNSBL. SPF would help with the original message,
> but of course it does nothing to help with the bounce.
I've been experimenting with some stuff to address this. The problem
being that the DSN is being sent to you for a message that never
originated at your site.
After some investigation I found out that someone else had come up with
a clever solution to this: using SRS (part of SPF) to re-write all the
envelopes of messages sent from out from your domains (and re-writing
all inbound returns) with SRS (which contains a hashed-secret which
would be impossible for the spammer to guess). Then you use a milter
that rejects any DSNs that are not SRS signed or that are SRS signed and
do not have a valid signature.
Here's my results so far - this shows all MTA level rejections on my
test box:
date | greet_p | rbl | relay | uribl | 8bit | dsn_no_srs
------------+---------+-------+-------+-------+------+------------
2006-06-07 | 135 | 2168 | 263 | 467 | 101 | 82
2006-06-06 | 1389 | 25462 | 1061 | 4456 | 2214 | 1001
2006-06-05 | 1728 | 23948 | 93 | 5111 | 1591 | 1129
There are several down-sides, SRS is 'frowned' upon by some as it has
the potential to break the RFCs that state that the local-part field
size should be 64 bytes although it does state that an implementation
can pick a larger value (also VERP has been doing this for years without
issue). The other down-side is that to implement this I had to
re-compile Sendmail with -DSOCKETMAP and hack the .cf file as the
provided m4 HACK provided didn't work for me (it put the changes in the
wrong place). I've also never tried this on a production system.
See http://srs-socketmap.info/sendmailsrs.htm for the gory details...
Exim users have it slightly better than the Sendmail crowd - see
http://srs.mirtol.com/exim.php for details.
Before anyone asks -- I couldn't find an implementation for Postfix.
Cheers,
Steve.
More information about the MailScanner
mailing list