backscatter by DSN: Service unavailable

[Joachim Holzfuss]

Thanks for your input!

Ronny T. Lampert wrote:
>>> our primary mailserver tags the spam and relays mail to other
>>> mailservers.
>>> Those sometimes have a different view of accepting messages
>>> and frequently reject spam mail
>>> (different view of DNS, different RFC inforcement). The primary server
>>> backscatters the tagged spam to falsified sender addresses.
>>
>>
>> Do you already do recipient verification (call ahead type of thing)?
>> Might solve a few of your problems:-).
> 
> Actually, when thinking more about the problem -- your problem is kinda
> hard. SMTP is a store and forward system, and once anybody in your whole
> routing domain has accepted a mail, he's stuck with it.
> 
> The cleanest solution would be to talk with those subdomain admins and
> try to improve your frontend up to a level they will gladly accept.
So many people, so many systems, changing every month...
> 
> The quickest solution is to try and reduce the bounces by doing some
> kind of milter-ahead solution; this will maybe reduce the backscatter by
> around 50% (rule of experience) but cannot completely eliminate it.
> Are you familiar with that kind of setup? If not, tell us what SMTPd
> you're using and we can point you into a direction.
I thought milter ahead will reduce backscatter from DSN send because of
not existing wrong rcpt to: messages (Am I wrong here?).
Those are not the problem at the moment.
I get spammy non-conformous mail_from domains (valid A record , invalid MX) that
my sendmail 8.13.8 relays but other postfixes may not. Also DNS name resolution
might differ between different servers.
> 
> 
> You also can reduce the time mail is kept in your queues in case a
> server goes down, that will expire those backscatter more quickly.
wait wait, that's another backscatter source, if one (sub) server goes down for 4 hours,
all the invalid senders of queued spam messages get notified (i got this horrible scenario once)
> 
> 
> As for the watermarking - MailScanner can do that and you can have a
> "shared secret" so you can trust those watermarks.
> ATM I'm quite unsure how to use that in your setting, though, as those
> watermarks would have to contain some kind of commands, like
> "backscatter mail, delete it" or so.
I wish it would be possible in mailscanner to have
if (from (subserver = TRUE) AND (watermark OK) and (SPAM = TRUE)) delete (I saw it, others don't want it)
if (from (subserver = TRUE) AND (SPAM = TRUE)) bounce back to sender at subserver, (rewrite your email)

All in all I would like to stick with mailserver and no milters, but ....
I just can't catch those DSN replies, they are sent without getting processed by mailscanner.

Joachim

> 
> 
> Cheers,
> Ronny