[141185] in North American Network Operators' Group
RE: blocking annoying 'bounce mail' "feature" from customers use.
daemon@ATHENA.MIT.EDU (Eric J Esslinger)
Mon Jun 6 09:47:22 2011
From: Eric J Esslinger <eesslinger@fpu-tn.com>
To: "'nanog@nanog.org'" <nanog@nanog.org>
Date: Mon, 6 Jun 2011 08:43:26 -0500
In-Reply-To: <D2D37F15EBBD524693E9F3CB32D02080219B775069@exchange.corp.fpu-tn.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--_002_D2D37F15EBBD524693E9F3CB32D02080219B85DCDEexchangecorpf_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
> -----Original Message-----
> From: Eric J Esslinger [mailto:eesslinger@fpu-tn.com]
> Sent: Wednesday, May 25, 2011 11:10 AM
> To: 'nanog@nanog.org'
> Subject: blocking annoying 'bounce mail' "feature" from customers use.
>
>
> Mac Mail (and others) have a "feature" that allows my
> customers to generate a fake NDR message and send it back
> through my server. I get about a customer every few months
> that discovers this 'solution' to spam emails, and when it
> happens they cause delivery problems for my customer mail
> server by generating backscatter.
>
> Today I just ended up on a list that won't take me off for
> quite a while (or unless I pay).
>
> Does anyone know of a way for me to block the following,
> using postfix, either via refusing to accept the mail or by
> dropping it in /dev/null: Mail from <> or postmaster that
> originates within our customer IP blocks/is sent using
> authentication at the submission port and/or that does not
> have a valid local recipient.
>
> I can't find any ready made recipies online for this sort of
> thing in a short dig around for it, and while I think it's
> possible, I was wondering if anyone else was already dealing
> with this and could say 'oh yeah just put line blah in
> header_checks'. I would think it would be simple once you
> find it but you know how it is.
>
> (I've already dealt with the customer in question but I'm
> getting tired of this popping up every month or three.)
> __________________________ Eric Esslinger Information
> Services Manager - Fayetteville Public Utilities
> http://www.fpu-tn.com/ (931)433-1522 ext 165
>
A couple of people asked me to follow up with a solution if I found one. Wh=
at I did was perhaps not elegant, but functional. I was hindered by a lack =
of time and lack of clear understanding of something in the header checks (=
namely, that the various postfix UCE 'checks' are not stateful and only can=
do multiple comparisons against a single line at a time. I can't check to:=
and from: both using header_checks if/endifs. I don't have time to learn h=
ow to build a custom milter atm so this will have to do for now, though tha=
t would likely be the ideal solution).
After some research, some trial and error, and some suggestions, this is wh=
at I came up with:
For all of the clients that have this capability on the windows side (I don=
't have direct access to a mac at this time, and apparantly everyone using =
this is using mailwasher and similar apps) it appears the following line in=
the body_checks filter catches all of them:
/mail.local: unknown name:/ DISCARD
I had one other user that I've located that was a problem after that. I fix=
ed his issue by discussion with him and some jusdicious port filtering; His=
issue was a bit more complex: He is running his own mail server in my stat=
ic range; He doesn't have a good spam filtering setup, specifically his new=
spam filter is unaware of actual valid email addresses on his domain, thus=
accepts a lot of illegitimate email for his domain, which the server then =
bounces with an invalid recipient. Since he realized he had a problem with =
getting on bounce lists last month, he decided the solution was a custom de=
livery filter. Bounce messages from his server are relayed through our publ=
ic mail server.
Since he doesn't see any issues with maintaining this solution on his end, =
I see no issue with blocking his smtp access to our mail server.
BTW: If anyone out there has a mac and wishes to generate a bounce to my ad=
dress above so I can check my filters against what mac mail generates, I'd =
appreciate it. I can send an email directly to you for that purpose. (a bou=
nce to fpu-tn.com will get through because it's our corporate mail server a=
nd not filtering the same way).
Thanks to the list for the assistance rendered.
__________________________
Eric Esslinger
Information Services Manager - Fayetteville Public Utilities
http://www.fpu-tn.com/
(931)433-1522 ext 165
This message may contain confidential and/or proprietary information and is=
intended for the person/entity to whom it was originally addressed. Any us=
e by others is strictly prohibited.
--_002_D2D37F15EBBD524693E9F3CB32D02080219B85DCDEexchangecorpf_
Content-Type: text/x-vcard; name="Eric J Esslinger.vcf"
Content-Description: Eric J Esslinger.vcf
Content-Disposition: attachment; filename="Eric J Esslinger.vcf"; size=498;
creation-date="Tue, 22 Sep 2009 14:31:13 GMT";
modification-date="Tue, 22 Sep 2009 14:33:05 GMT"
Content-Transfer-Encoding: base64
QkVHSU46VkNBUkQNClZFUlNJT046Mi4xDQpOOkVzc2xpbmdlcjtFcmljDQpGTjpFcmljIEogRXNz
bGluZ2VyDQpPUkc6RmF5ZXR0ZXZpbGxlIFB1YmxpYyBVdGlsaXRpZXM7SW5mb3JtYXRpb24gVGVj
aG5vbG9neQ0KVElUTEU6SW5mb3JtYXRpb24gU2VydmljZXMgTWFuYWdlcg0KVEVMO1dPUks7Vk9J
Q0U6OTMxLTQzMy0xNTIyIGV4dCAxNjUNCkFEUjtXT1JLOjtIZWFkZW5kIC0gTWFpbiBCdWlsZGlu
Zzs0MDggQ29sbGVnZSBTdC4gVy47RmF5ZXR0ZXZpbGxlO1ROOzM3MzM0O1VuaXRlZCBTdGF0ZXMN
CkxBQkVMO1dPUks7RU5DT0RJTkc9UVVPVEVELVBSSU5UQUJMRTpIZWFkZW5kIC0gTWFpbiBCdWls
ZGluZz0wRD0wQTQwOCBDb2xsZWdlIFN0LiBXLj0wRD0wQUZheWV0dGV2aWxsZSwgVE4gMzczMzQ9
DQo9MEQ9MEFVbml0ZWQgU3RhdGVzDQpFTUFJTDtQUkVGO0lOVEVSTkVUOmVlc3NsaW5nZXJAZnB1
LXRuLmNvbQ0KUkVWOjIwMDkwOTIyVDE0MzMwNVoNCkVORDpWQ0FSRA0K
--_002_D2D37F15EBBD524693E9F3CB32D02080219B85DCDEexchangecorpf_--
