 |
| Prev-20 | Home | Next-20 |
| Prev-20 | Home | Next-20 |
| Prev-Msg | Prev-Thread | Postfix-users | May-2008 | Next-Thread | Next-Msg |
| Subject: | Re: Backscatting filter? |
| Group: | Postfix-users |
| From: | Robert Schetterer |
| Date: | 7 May 2008 |
> mouss schrieb:
>> Blake Hudson wrote:
>>> -------- Original Message --------
>>> Subject: Re: Backscatting filter?
>>> From: Noel Jones <njones>
>>> To: postfix-users
>>> Date: Wednesday, May 07, 2008 1:09:02 PM
>>>> Blake Hudson wrote:
>>>>>
>>>>>
>>>>> It seems a waste to subject all messages to these filters, is there
>>>>> a way to apply these regexp header_checks/body_checks only to
>>>>> messages from a null sender, as is the case with the second
>>>>> recommendation:
>>>>>
>>>>
>>>> header_checks and body_checks apply to all mail, there is no bypass
>>>> or selective application mechanism.
>>>> So they can't be applied to only messages from a null sender.
>>>>
>>>>
>>>
>>> Yeah, sounds like I would need sender based routing setup with a
>>> transport that applies to null senders only and is specifically
>>> configured with header/body checks on that one transport. The closest
>>> thing in a regular recipient routing setup would be the FILTER action
>>> mechanism which allows me to apply a content filter to messages based
>>> on sender address in an access table.
>>>
>>
>> but then you can't block. you can discard, quarantine or deliver. but
>> in this case, spamassassin is probably a better place to do your checks.
>>
>> if you want to block the messages, then use a proxy_filter or a milter.
>>>
>>> The backscatter we receive has the following commonalities: Comes
>>> from NULL sender, does not contain our server's IP, and does not
>>> contain the outbound content filter 'received' header information. If
>>> I were to block backscatter from forged sources I would ideally look
>>> at only mail from NULL senders, which in the body contains a
>>> 'received:' line, but does not contain our server's IP or the content
>>> filter addition.
>>>
>>> I do not believe I can accurately pass all mail through these types
>>> of regexp checks because we provide technical support for other
>>> companies and are often asked to debug or analyze bounce messages
>>> received from clients. These bounces do have the 'received:'
>>> information in the body, and typically do not contain information
>>> about our mail server since they do not pass through our network.
>>> These messages would come from actual users though, not a NULL sender.
>>>
>>> The postfix backscatter readme only talks about filtering based on
>>> the presence of invalid information (versus the lack of valid
>>> information). I could filter this way, but it seems that it would not
>>> be nearly as effective or efficient.
>>>
>>> If I were to use backscatterer.org or similar backscatter list I run
>>> the risk of not receiving legitimate bounces that stem from messages
>>> sent through my server. Sometimes I'm forced to send to people who
>>> use MessageLabs for their SPAM filter, and unfortunately MessageLabs
>>> is listed on backscatterer.org.
>>
>> use dnswl.org as a whitelist.
>>
>>>
>>>
>>> It would be great if there were some mechanism that would allow
>>> forwarding to a transport based on access table lookup.
>>
>> FILTER does. but the checks would then be done at the other side of
>> the transport, and not during the smtp transaction.
>>
>>> This would allow for some sender based exceptions within a regular
>>> recipient based routing setup.
>>>
>>> -Blake
>>>
>>
> Hi,
>
> i ve done it with a policy class but this is only a solution for
> one small maildomain ( the one which gets the most backscatter in my
> case , up to hundert per minute)
> and has not many addresses not a final solution for every case/setup
> but works in my case cause i dont get any backscatter
> from faked existing mail adresses
> after all for that case i have vbounce plugin in spamassassin
> which works nice,
> adding the allready described header/body check method too
> should reduce backscatter Problem to an aceptable limit without loosing
> legal bounces, but wasnt possible on this server cause its an
> backup mx in first case
>
>
> looks like this
>
> smtpd_sender_restrictions =
> ...
> ...
> ...
> hash:/etc/postfix/sender_backscatter_access,
> ...
>
>
> with /etc/postfix/sender_backscatter_access
>
>
> Symantec_Mail_Security_for_SMTP@ backscatter
> Gateway_SMTP@ backscatter
> Notify_nav_gateways@ backscatter
> <> backscatter
> postmaster@ backscatter
> MAILER-DAEMON@ backscatter
> devnull@ backscatter
> MDaemon@ backscatter
> imsspostmaster@ backscatter
> Administrator@ backscatter
> imss@ backscatter
> majordomo@ backscatter
> symantec_antivirus_for_smtp_gateways@ backscatter
> Mail_Security_for_SMTP@ backscatter
> FETCHMAIL-DAEMON@ backscatter
> NULL@ backscatter
>
>
> smtpd_restriction_classes = ...,
> backscatter,
> rbl_backscatter,
> ...
>
> backscatter = ...,
> ...,
> check_recipient_access hash:/etc/postfix/mydomain_recipient_access
>
> in
>
> /etc/postfix/mydomain_recipient_access
>
> user OK
> user2 OK
> ...
> ...
> neversendmail REJECT this address accepts no bounce
> mydomain.de rbl_backscatter
>
>
> rbl_backscatter = ...,
> ...,
> reject_rbl_client ips.backscatterer.org,
> check_recipient_access hash:/etc/postfix/backscatter_access_reject,
> reject
>
>
> in /etc/postfix/backscatter_access_reject
>
> mydomain.de REJECT your ip sends backscatter avoid it use our dns spf
>
>
> ...means other stuff
> mostly permit_mynetworks
> permit_sasl_authenticated,
>
>
>
>
> --
> Best Regards
>
> MfG Robert Schetterer
>
> Germany/Munich/Bavaria
small
corection should be
smtpd_sender_restrictions =
...
...
...
check_sender_access hash:/etc/postfix/sender_backscatter_access,
...
--
Best Regards
MfG Robert Schetterer
Germany/Munich/Bavaria
| Prev-Msg | Prev-Thread | Postfix-users | May-2008 | Next-Thread | Next-Msg |