OT: Question

Ken A ka at pacific.net
Thu Apr 2 21:41:51 IST 2009 

Rick Cooper wrote:
> Just a query regarding bounces: How many of you actually bounce mail
> anymore? I ask this question because I noted a huge number of rejects on one
> of my servers that appear to be valid bounce attempts to an address of
> info at mydomain.com for the last week or so. I have an ACL that looks at the
> local part of recipients and if that local part is being used it denies the
> message (even null sender) with a message stating there is no such user and
> it's an address currently being joe-jobbed. I see the same ips repeatedly
> attempting a bounce for days.

I've got one: eqnjahdhx at domain.tld. We host the domain, but of course
they don't send the spam. They aren't even aware of it. We are the 
joe-jobbed victim. We don't accept the bounces, but they are
annoying, and it's been going on for well over a year. I tightened up 
the SPF record, but I don't think that helped much. People who accept, 
then bounce mail will eventually learn, or be buried, I think. The 550 
error on this one now says "Please dont bounce forged spam". That hasn't 
helped either. It just takes time.

Ken


> 
> I decided to do a search for the address in question and found several honey
> pots listing dictionary attacks by several Ips and when I look at the info I
> see things like sender : Anna <info at mydomain.com>, and of course a bunch of
> other addresses that are, I am sure, fake as well.
> 
> Since this has gotten to the point of thousands of attempted bounces a day I
> added an call to ExiBlock today that will add the addresses to the firewall
> for 2 days, but I started thinking who actually bounces mail, or for that
> matter accepts mail for users that are not their own?
> 
> What really pisses me off is the fact that we sign all our mail and we have
> SPF records that hard fail any host not actually used for sending mail for
> our domains. So you hear people say the don't check SPF, it's useless and
> then I get hammered by back scatter for weeks because they didn't even
> bother to check the freaking SPF record.
> 
> 
> 
> 
> 
> Rick Cooper
> 
> 
> 
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 
> 


-- 
Ken Anderson
Pacific Internet - http://www.pacific.net

More information about the MailScanner mailing list