OT: extraordinary amount of spam to one domain

Wed Dec 23 11:14:57 GMT 2009

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> bounces at lists.mailscanner.info] On Behalf Of Steve Freegard
> Sent: 23 December 2009 10:06
> To: MailScanner discussion
> Subject: Re: OT: extraordinary amount of spam to one domain
> 
> On 23/12/09 09:04, Jethro R Binks wrote:
> > I know at least one
> > of those is a ancient qmail insatnce which will happily accept
> anything
> > offered to it and later bounce, and at least several others are (or
> maybe
> > were) older Exchange instances which couldn't or wouldn't reject at
> SMTP
> > time.
> 
> Patches and plug-ins have been available for Qmail for ages to deal
> with
> this (I know this because I fixed this for a customer a while back -
> it's relatively straightforward).
> 
> Exchange 5.5 and Exchange 2000 are the worst culprits; you have to do
> an
> export and use manual maps for these or do online LDAP queries to them.
> 

I seem to remember that there is a script either on the wiki or in the list archive to do exactly that. Well worth investing in the time taken to get that working!

For Exchange 2003 and above you just need to tick a box to reject recipients not in the active directory although need to remember to turn recipient checks on on the virtual smtp server (look in IP address and advanced IIRC) for it to work! Took me a while to work out why it wasn't working on the first one I enabled...

> > So, for those, I don't have much choice but to accept the message,
> then
> > let the internal server accept-then-bounce.  I do what I can to
> mitigate
> > the effects of this, but it will always be far from perfect, and I do
> not
> > have the power to do very much about it, much as I would like too.
> 
> Accept-the-bounce is a slightly different problem to what I showed
> originally; in my original mail - the remote server *was* rejecting
> invalid recipients at RCPT TO: time and therefore causing the gateway
> to
> generate the DSN.
> 
> Accept-the-bounce means the mailbox server generates the DSN and not
> the
> gateway.  The choice here for a gateway operator is not to allow hosts
> such as these to relay their outbound mail (and thus the DSNs) via the
> gateway and choose to deliver them directly to the internet.
> 
> This prevents the gateway from being listed as a backscatter or spam
> source and affecting all the other domains handled by that gateway
> (e.g.
> one domain 'peeing-in-the-pool' so to speak..) as the mailbox server IP
> will be the one that will get blacklisted if attacked. It's also
> another
> good reason to have separate machines handling inbound and outbound
> mail.
> 
> > However, there are probably several reasons why some gateways cannot
> do
> > any of those things.  Sad, but true.
> 
> Sure - but I usually find that once the gateway has been used as a spam
> reflector these reasons magically disappear.  That's both sad and true.
> 
> For those that charge for providing e-mail services; I recommend that a
> premium is charged for handling domains that do not reject invalid
> recipients or that use 'catch-all' accounts as they cause considerable
> overheads when compared to other domains.  That's usually another good
> incentive to either get this fixed or a workaround put in place.

I'd love that we could charge extra for domains that had catch-alls, but all we can do is to educate users into getting rid of their catch-alls... Generally it happens after someone tries a joe-job on them, and they wonder why their spam filtering isn't as good as it could be.

We've one person so far that insists on using a catch-all and its nothing but trouble as keep getting NDR's and bouncebacks that they're trying to send back out through our MX... As this is inbound only mailserver debating blocking receiving from them to alleviate.