OT: SORBS a PITA on spam backscatter ...

Matt Kettler mkettler at evi-inc.com
Wed Jun 13 20:06:11 IST 2007


Garry Glendown wrote:
> Sorry, this is most likely somewhat off topic, but maybe I could get
> some suggestions ...
> 
> One of our customers was hit by a presumably larger amount of spam
> mails, addressed to mail addresses collected somehow, but with errors in
> the addresses (first part of the mail address duplicated, like
> "johnjohn at do.main" instead of "john at do.main"). They are operating a
> multi-level mail service, with MS on our side, delivering to an SMTP
> proxy, then over through a virus scanner, and finally to the actual mail
> server (M$ Exchange). Mails are accepted, even by the Exchange server,
> which in turn generates a non-delivery receipt for wrong addresses.
> 
> For outgoing mail, our central mail server is the smarthost. Which in
> turn got listed on SORBS for delivering spam backscatter ... great. As
> far as I see it, delivering the mails, which in themselves are generated
> in compliance with RFCs, is fully legitimate.
> 
> What should we do? We get complaints due to the fact that certain mails
> sent from other customers are being blocked on recipient mailservers due
> to our server being SORBS-listed ...
> 
> I personally do not see any way of identifying whether such a receipt
> (if I'm able to even decide that it is a non-delivery receipt) is for
> legitimate mails that couldn't be delivered, or for spam.
> 
> Any suggestions?

Don't concern yourself with determining if the message is spam or nonspam,
concern yourself with validating the recipient of inbound email at delivery time
on the outside server.

There are lots of tools to handle this, milter-ahead, etc.

While post-delivery bounces may be 100% RFC compliant, they're a
denial-of-service problem waiting to happen.

A 100% RFC compliant network will also accept pings (icmp echo request) sent to
its broadcast, and generate one reply per host in the whole network. However,
that's also what's called a "smurf amplifier" in the mid 90's and will generally
get you disconnected by your ISP for acting as a passive facilitator of DoS attacks.

Post-delivery bounces are the "smurf attack" of today. Yet another way for a
malicious user to use your network to attack others.


> tnx, -garry
> 



More information about the MailScanner mailing list