OT: extraordinary amount of spam to one domain
steve.freegard at fsl.com
Wed Dec 23 10:05:35 GMT 2009
On 23/12/09 09:04, Jethro R Binks wrote:
> I know at least one
> of those is a ancient qmail insatnce which will happily accept anything
> offered to it and later bounce, and at least several others are (or maybe
> were) older Exchange instances which couldn't or wouldn't reject at SMTP
Patches and plug-ins have been available for Qmail for ages to deal with
this (I know this because I fixed this for a customer a while back -
it's relatively straightforward).
Exchange 5.5 and Exchange 2000 are the worst culprits; you have to do an
export and use manual maps for these or do online LDAP queries to them.
> So, for those, I don't have much choice but to accept the message, then
> let the internal server accept-then-bounce. I do what I can to mitigate
> the effects of this, but it will always be far from perfect, and I do not
> have the power to do very much about it, much as I would like too.
Accept-the-bounce is a slightly different problem to what I showed
originally; in my original mail - the remote server *was* rejecting
invalid recipients at RCPT TO: time and therefore causing the gateway to
generate the DSN.
Accept-the-bounce means the mailbox server generates the DSN and not the
gateway. The choice here for a gateway operator is not to allow hosts
such as these to relay their outbound mail (and thus the DSNs) via the
gateway and choose to deliver them directly to the internet.
This prevents the gateway from being listed as a backscatter or spam
source and affecting all the other domains handled by that gateway (e.g.
one domain 'peeing-in-the-pool' so to speak..) as the mailbox server IP
will be the one that will get blacklisted if attacked. It's also another
good reason to have separate machines handling inbound and outbound mail.
> However, there are probably several reasons why some gateways cannot do
> any of those things. Sad, but true.
Sure - but I usually find that once the gateway has been used as a spam
reflector these reasons magically disappear. That's both sad and true.
For those that charge for providing e-mail services; I recommend that a
premium is charged for handling domains that do not reject invalid
recipients or that use 'catch-all' accounts as they cause considerable
overheads when compared to other domains. That's usually another good
incentive to either get this fixed or a workaround put in place.
More information about the MailScanner