Proper Ways to Dispose of Spam? 119
An anonymous reader asks: "My domain name is being stolen by spammers; they forge outgoing mail using my poor innocent domain name. First, I'd like to plead with mail server administrators out there: please REJECT spam and undeliverable mail. If you reject instead of bouncing then legitimate mail senders will still know there is a problem. Second, do you have any tips for dealing with a flood of spam bounces? Exim is pitching the bounces pretty quickly, but my server is still getting overwhelmed."
In the case of stolen sender addresses, SPF attempts to address this problem but has it been effective?
SPF! (Score:5, Informative)
SPF somewhat effective (Score:3, Informative)
SPF is effective... sort of (Score:2, Informative)
As for what to do... It's a tough call. You're being affected by a "Joe Job" [http://en.wikipedia.org/wiki/Joe_job]
For the record, every mail server I've worked on has been set up to reject. I learned a long time about that bounces and double bounces can easily kill a server. Great idea in theory, but the low-lifes on the net make good ideas regretful..
SPF is Marginally Effective (Score:2, Informative)
Here is the SPF line I am using with Gmail (with an irrelevant ip4 entry omitted):
@ IN TXT "v=spf1 mx include:aspmx.googlemail.com -all"
I figure that at worst, I am keeping myself off blacklists because the ones likely to blacklist my domain have at least implemented SPF. It is still a fairly annoying situation. It is probably worth noting that I have a catch-all alias for inbound emails. I like to give a different email address for each site I go to so that I can track who is sending me spam. The downside to this apparently being that it potentially opens your domain up to being used TO spam.
Re:SPF! (Score:3, Informative)
Re:SPF is Marginally Effective (Score:3, Informative)
Re:No (Score:5, Informative)
Why the forging in the first place? (Score:3, Informative)
If you run any mail server for a reasonable amount of time, until the feds decide to get off their lazy asses and prosecute these criminals, you're going to run into this problem. It usually passes after a few days. If I run into it, I will sometimes change the MX record of the offending domain to 127.0.0.1 temporarily. And rule number one is avoid *@domain.com mail mappings...
Re:SPF! (Score:4, Informative)
Re:Why the forging in the first place? (Score:4, Informative)
Simple, check the Received: envelope headers (Score:4, Informative)
Don't use a catch-all (Score:5, Informative)
@example.com error:nouser 550 5.1.1 User unknown
It's important to do this on the server that accepts mail from the outside. If you have a setup with an antispam/virus gateway that then relays to an internal server, you need to make the gateway aware of the valid/invalid addresses.
By rejecting invalid senders in the SMTP transaction, you only get bounces from the few messages that forged an actual sender. In my experience, the addresses tend to look like ashawuiefgfyig@example.com, so most of the bounces will just disappear into the ether(net).
Postfix Backscatter HOWTO (Score:5, Informative)
There is a Postfix backscatter HOWTO at http://www.postfix.org/BACKSCATTER_README.html [postfix.org]
Re:SPF somewhat effective (Score:5, Informative)
A DNS request is tiny compared to bouncing about bits of mail - if you can reject the message before even processing the body thanks to SPF you significantly reduce bandwidth consumption, much more than that spent on a DNS lookup, especially now there are so many image based spams floating about.
Re:Backup MX is to blame for some of this bouncing (Score:3, Informative)
Your right. I work for a smallish ISP and notice that spam-bots usually prefer the backup MX record.
For smaller domains and people with fewer resources having one MX record is impractical. For larger systems, like say an ISP, their is typically only one MX record, which really points to a virtual server that exists in a Foundry switch or some such. This is then load balanced round-robin style to a group of identically configured servers, preferably that are geographically distributed. This is a little more straight forward then the ring of servers, but has it's own issues.
The one headache that I have with this set up is the tedious log searches that you end up doing trying to find out what happened to customer x's email, or just troubleshooting in general.
It's a pain shelling into 4 different servers and greping through each maillog. I'd like to find a solution to this.
BATV (Score:2, Informative)
Envelope Sender Signature (Score:4, Informative)
http://howtos.linux.com/howtos/Spam-Filtering-for
The idea is to tag outgoing messages in such a way that legitimate DSNs are distinguishable from illegitimate backscatter (which can then be discarded).
Rejecting spam bounces (Score:3, Informative)
The current main benefit to SPF is that when you get an SPF PASS, you can be reasonably sure that the MAIL FROM wasn't forged. This is comforting when I get mail from online banks and vendors (that I actually use). Also, I reject not only on SPF fail, but on softfail for selected domains (e.g. ebay.com). Getting an SPF pass is a two edged sword for a spammer. I track reputation (using pygossip) for validated MAIL FROM and HELO domains. So after a few trips through the content filter, they get rejected in SMTP envelope:
Re:Rejecting spam bounces (Score:3, Informative)
Detecting the bogus bounces in mutt is less than optimal - because you have already received the SPAM. By checking in the MTA, you reject the bounce before SMTP DATA.
Re:SPF! (Score:3, Informative)
Go into your hosting account, then open the control panel for the domain you want to set up SPF for.
On the page that opens up, select DNS Manager.
Scroll down to the bottom of that page, and there should be a button saying something like "Add SPF Record."
Assuming you use smtpout.secureserver.net to send your email, the defaults should work splendidly, and it should be good to go.