Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: users

Bounce Spam problem

  

 
exim users RSS feed   Index | Next | Previous | View Threaded


hub at dohmen

Feb 6, 2012, 1:37 AM

Post #1 of 6 (335 views)
Permalink
Bounce Spam problem
Hi!



I have a serious problem.



Spammers are abusing our system by sending fake bounces to our server,
that Exim 'returns' to the 'sender'.



How can ik ignore, of better, delete before accepting.



I enabled blacklisting. But that fdoes not seem to have any effect.



Cheers,

Hub

 

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


cyborg2 at benderirc

Feb 7, 2012, 12:48 AM

Post #2 of 6 (332 views)
Permalink
Re: Bounce Spam problem [In reply to]
Am 06.02.2012 10:37, schrieb Hub Dohmen:
> I enabled blacklisting. But that fdoes not seem to have any effect.
>

Try the Spamhaus DNSBL list, it's one of the best.

Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


wbh at conducive

Feb 7, 2012, 1:02 AM

Post #3 of 6 (329 views)
Permalink
Re: Bounce Spam problem [In reply to]
Hub Dohmen wrote:
>
> Spammers are abusing our system by sending fake bounces to our server,
> that Exim'returns' to the'sender'.

> How can ik ignore, of better, delete before accepting.

I do two simple things:

First - DON'T ACCEPT a 'bounce' from a source that lacks proper
credentials any more than you would accept any OTHER message from a 'bot:

===

deny
condition = ${if eq{$interface_port}{25}}
!verify = reverse_host_lookup
===

Second:

Don't GENERATE bounces to off-box 'strangers'. At all.
Allow ONLY 'DSN' to your own 'local' user pool, virtual or shell.

-- onpass information IN SESSION (Exim's great strength) and it can ONLY
reach the entity connected. Legit or 'bot - it for-sure never goes to a
bystander. Such an in-session response will NOT go to the spoofed source
- it will be seen only by the entity actually 'on the teat'.
If that is a 'real' correspondent, they'll appreciate the immediacy and
the saving of a subsequent connection and session. If it is a 'bot? SFW?

-- Send any others to YOURSELF. See 'errors_to', and add it with the
mailadmin address (or a log file) to appropriate router/transport sets.
'ALL of 'em for starters...

That annoyance insures you have an incentive to actually FIX whatever
faux pas let them arise.

;-)

Bill

--
韓家標

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


Lena at lena

Feb 7, 2012, 4:52 AM

Post #4 of 6 (329 views)
Permalink
Re: Bounce Spam problem [In reply to]
> From: "Hub Dohmen" <hub [at] dohmen>

> Spammers are abusing our system by sending fake bounces to our server,
> that Exim &#39;returns&#39; to the &#39;sender&#39;.

Please give us or me a few examples:
unedited log lines or headers.

Bounces have empty sender (envelope-from),
therefore Exim cannot return bounces.
Something else happens. In order to help you, we need to understand
what exactly happens.

> I enabled blacklisting.

How? Please include the part of your Exim config which does
the blacklisting. Is it in the rcpt ACL?

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


iane at sussex

Feb 7, 2012, 9:11 AM

Post #5 of 6 (330 views)
Permalink
Re: Bounce Spam problem [In reply to]
On 7 Feb 2012, at 09:02, W B Hacker wrote:
>
> Don't GENERATE bounces to off-box 'strangers'. At all.
> Allow ONLY 'DSN' to your own 'local' user pool, virtual or shell.

Actually, I don't see why you shouldn't do that for a return-path address that's verified with an SPF pass, or a DKIM verified From: header address that uses the same domain as the signing domain. If recipients of such bounces have a complaint, it should be directed to the domain owner.

--
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


wbh at conducive

Feb 7, 2012, 9:32 AM

Post #6 of 6 (328 views)
Permalink
Re: Bounce Spam problem [In reply to]
Ian Eiloart wrote:
> On 7 Feb 2012, at 09:02, W B Hacker wrote:
>>
>> Don't GENERATE bounces to off-box 'strangers'. At all. Allow ONLY
>> 'DSN' to your own 'local' user pool, virtual or shell.
>
> Actually, I don't see why you shouldn't do that

?? Seems fairly obvious that if 100% of rejections from outside-world
are handled at smtp-time, AND we take onboard only what we can (and DO)
deliver...

..there can be no situation that would REQUIRE an 'out-of-band' or
post-session DSN to a 'stranger'.

They'll generate their OWN if/as/when a server of ours is unreachable.

As to our own user-community, sure there are.

- Far-end rejection for ANY reason.

- Retry timeout on unreachable destinations.

> for a return-path
> address that's verified with an SPF pass, or a DKIM verified From:
> header address that uses the same domain as the signing domain. If
> recipients of such bounces have a complaint, it should be directed to
> the domain owner.
>

Irrelevant. Not germane.
There are no bounces to BE sent.

Even if there were, the CF's mentioned are not reliable.

Bill
--
韓家標

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.