backscatter by DSN: Service unavailable

[Glenn Steen]

On 30/01/2008, Joachim Holzfuss <hofu12 at physik.tu-darmstadt.de> wrote:
> Thanks for your input!
>
> Ronny T. Lampert wrote:
> >>> our primary mailserver tags the spam and relays mail to other
> >>> mailservers.
> >>> Those sometimes have a different view of accepting messages
> >>> and frequently reject spam mail
> >>> (different view of DNS, different RFC inforcement). The primary server
> >>> backscatters the tagged spam to falsified sender addresses.
> >>
> >>
> >> Do you already do recipient verification (call ahead type of thing)?
> >> Might solve a few of your problems:-).
> >
> > Actually, when thinking more about the problem -- your problem is kinda
> > hard. SMTP is a store and forward system, and once anybody in your whole
> > routing domain has accepted a mail, he's stuck with it.
> >
> > The cleanest solution would be to talk with those subdomain admins and
> > try to improve your frontend up to a level they will gladly accept.
> So many people, so many systems, changing every month...
> >
> > The quickest solution is to try and reduce the bounces by doing some
> > kind of milter-ahead solution; this will maybe reduce the backscatter by
> > around 50% (rule of experience) but cannot completely eliminate it.
> > Are you familiar with that kind of setup? If not, tell us what SMTPd
> > you're using and we can point you into a direction.
> I thought milter ahead will reduce backscatter from DSN send because of
> not existing wrong rcpt to: messages (Am I wrong here?).
True enough.

> Those are not the problem at the moment.
> I get spammy non-conformous mail_from domains (valid A record , invalid MX) that
> my sendmail 8.13.8 relays but other postfixes may not. Also DNS name resolution
> might differ between different servers.
Right, so then you need syncronize your views... Are these separate
organizations or are they under the same policy?

> >
> > You also can reduce the time mail is kept in your queues in case a
> > server goes down, that will expire those backscatter more quickly.
> wait wait, that's another backscatter source, if one (sub) server goes down for 4 hours,
> all the invalid senders of queued spam messages get notified (i got this horrible scenario once)
> >
> >
> > As for the watermarking - MailScanner can do that and you can have a
> > "shared secret" so you can trust those watermarks.
> > ATM I'm quite unsure how to use that in your setting, though, as those
> > watermarks would have to contain some kind of commands, like
> > "backscatter mail, delete it" or so.
> I wish it would be possible in mailscanner to have
> if (from (subserver = TRUE) AND (watermark OK) and (SPAM = TRUE)) delete (I saw it, others don't want it)
> if (from (subserver = TRUE) AND (SPAM = TRUE)) bounce back to sender at subserver, (rewrite your email)
IIRC Jules has at times viewed that as "being part of the problem" ...
at least potentially:-).

> All in all I would like to stick with mailserver and no milters, but ....
> I just can't catch those DSN replies, they are sent without getting processed by mailscanner.

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se